Prepare for the new European General Data Protection Regulation 2018
When an organisation, like ScreenCheck, process personal data in its solutions, services or products, they deal with privacy rules. It is important for you as a company, as well as for the people whose data is being processed, to comply with these rules. With the entry into force of the General Data Protection Regulation in 2018, there are new privacy rules, which involve more obligations. Because ScreenCheck itself is making the necessary preparations, we also want to inform you through this article. The Personal Data Authority and the European Commission website are good sources of information when you want to go deeper into the General Data Protection Regulation (GDPR).
Is your organization aware of the new privacy rules?
The new rules of the General Data Protection Regulation (GDPR) will demand more of you as a company. Therefore, keep in mind that informing, assessing and implementing the GDPR requests time of you and your employees. Also, be aware that the Personal Data Authority may impose sanctions of up to 20 million euros or 4% of your revenue if your processes, services and products do not comply with the new data protection laws.
More and improved privacy rights
Cardholders, whose personal data you process, get more enhanced privacy rights and must be able to execute their rights. This applies to existing rights, such as the right to access and the right to correction and removal. The right to data portability is one of the new rights, cardholders must be able to receive and pass on their data to another organization without difficulty. Correct handling of data is important because complaints can be submitted to the Personal Data Authority about the way you handle personal data.
Show that you handle the cardholder’s personal data correctly, by giving insight in all the processes. Document the personal data you process, why, where this information comes from and with whom you share the data. Under the GDPR there is a documentation obligation, you must be able to demonstrate that your organisation is in accordance with the GDPR. You also need this documentation as individuals make an appeal on their privacy rights. With a request to correct or delete data, you must pass on the changes to the organisations with which data is shared.
You may also be required to estimate privacy risks, also called privacy impact assessment (PIA). Performing a PIA is especially important when processing data with a high level of privacy risk. You can already take into account data with a high privacy risk, create a PIA and work out any measures.
Notification of data leaks
The mandatory notification of data leaks have stringent requirements for self-registration of leaks that occurred in your organization. Document all data leaks. With this documentation the Personal Data Authority checks if you are keeping up with the mandatory notification of data leaks. Furthermore, the reporting obligation under the GDPR remains largely the same.
Requirements for data processing are also subject to strict requirements. For processing personal data, you must show that you have received valid consent from the relevant persons. Also, it must be as easy to withdraw the given permission. So look carefully at the way you request, get and register the permissions.