by

GDPR is an opportunity!

A concept such as GDPR is a hot topic for us at AlphaRainbow. From the beginning of January we set up a Data Protection Team within AlphaRainbow. We were given the task of being GDPR compliant before May 25. In addition to becoming compliant, we also want to start the ISO-27001 process and use an efficiency drive. Too ambitious? We believe this is possible and we are happy to take on that challenge. You can do this too! Really.

General Data Protection Regulation (GDPR)

The current law from 1995 (the Data Protection Directive) was drawn up when only 1% of the EU population used the internet. The average is now at 75%. In the Netherlands this is even 94%. Current regulations do not address social media, tracking, cookies, profiling, etc. However, in 2018 this is necessary. In April 2016, the European Parliament approved the GDPR. In essence, the GDPR legislation gives citizens the right to determine whether, when, how and to whom their data and information is provided and for what purpose that data may be used. To organizations to adapt to this.mandatory, before May 25, 2018.

If, as a company/institution, you do not comply with the GDPR by 25 May, you risk high fines. Task to become GDPR compliant. And oh yes, take these regulations seriously! Not yet started with GDPR compliance? Then start while you still can. See the checklist at the bottom of this blog.

Companies and personal data

There are many companies that store personal data. Think of an e-mail address, first and last name, purchasing behavior, license plate number, browser data, preferences and an IP address. The question is whether this data is also stored securely. We work with personal data ourselves through our CCT tool. This mainly concerns name, e-mail address and name and address details. We are constantly looking for the best options (privacy by design/default) to use and store as little personal data as possible. We ourselves need personal data to send e-mail invitations and to link the results to the ‘data subjects’ so that our customers can feed back the results to their own customers. Sounds complicated, but it isn’t.

With effect from the GDPR, data subjects, also known as data subjects, you and I, will have a number of new rights. Such as the right of inspection, right of rectification, right of objection, right of correction and a number of other rights. It’s up to us to respond to this.

A burden or an opportunity?

Yes, the GDPR demands a lot from your administrative skills. It will certainly take time, money and energy to become and remain GDPR compliant. But we see it primarily as an opportunity. It calls for innovation. We need to renew our services; immediately an opportunity to improve and optimize the services. We take a serious look at the entire organization and actively look for optimization points. The most important thing is that we really invest time, money and energy in the GDPR compliance project.

Take action

Becoming GDPR compliant is a challenge. You must have in-house knowledge of privacy legislation, information security and risk management. A big challenge for many. This means that you must take action. Realize that this is not just an IT issue, but that it actually affects all departments; from legal to marketing. A lot is going to change so make sure you are prepared. My recommendation would be that you read up on this topic before engaging an outside party. You can really do a lot yourself. Do that before you engage an external party. Saves a bag of money.

Check list and tips

  • Familiarize important people within your organization with the GDPR;
  • Map out how personal data is processed and assess whether you need to create a processing register;
  • Check whether your organization is obliged to appoint a data protection officer;
  • Implement privacy by design and privacy by default;
  • Close processing agreements;
  • Draw up procedures and take technical measures to implement the rights of data subjects;
  • Determine a Privacy Impact Assessment (PIA) and map out when you need to perform it;
  • Map out where within your organization permission is requested for the processing of personal data and check whether this meets the requirements of the GDPR;
  • Draw up a data security policy and keep testing and improving this policy;
  • Draw up a protocol for reporting data breaches.
  • If necessary, read the GDPR legal texts yourself. Know what to do.
  • Even a clean desk policy will contribute to GDPR compliance and of course to the neat appearance of your department, win-win!

Yes, it’s a lot of things to pick up on. Don’t be put off, go for it! More explanation about these points? Look here for the checklist. The website of the Dutch Data Protection Authority also provides a lot of clarity. Good luck!

Do you want to know whether you are GDPR proof or whether the progress of your GDPR preparations is comparable to other organizations? Then check out the free DDMA test.

IMG_5963-2

Cynthia ter Wisscha

Project Manager