AVG stands for General Data Protection Regulation and will be immediately applicable from 25 May 2018. You may have also heard of it under the abbreviation GDPR, which is the abbreviation of the English titles General Data Protection Regulation. In any case: it will replace our Personal Data Protection Act. Yes, there will probably be a new Dutch law based on the AVG, but that will take some time. Until then, what should you do to avoid fines?
Let's face it, AVG is not new
Look, let's not pretend that the GDPR suddenly sets a lot of new requirements. We have already had to treat the privacy of our customers and other individuals with care. But not everyone is aware of it. Because the GDPR is in the news now, many websites write about it and you can read a lot about it, many people panic. That is absolutely unnecessary! I help you with the adjustments that are necessary.
Update your privacy statement
In all cases it was, is and will be important that you clearly inform people about what you do with their personal data. That was already necessary. The privacy statement just needs to be much more extensive. Depending on how your company is set up, what data you collect and what you do with it, you should inquire about at least 11, but perhaps more things. For example, which data you collect, for what purpose you do this, how long you keep it (infinite is not an option here), who the recipients of the personal data are (such as the hosting party that stores the data on servers for you), can be against the processing, that people have the right to inspect and change their data and that they can complain to the Dutch Data Protection Authority. Read more about all 11 obligations in this blog post ' You need a new privacy statement before May 25, 2018 '.
Data portability. The GDPR gives individuals the right to data portability. Or the right to request their data from one company in order to be able to easily hand it in to another company. This must be done with a neutral technique, so that every company can do something with it. That quickly comes down to something like an excel file or comma-separated file. Your customer must therefore be able to easily request his/her data from you and pass it on to another company. Will that happen often? Not yet, certainly not at web stores where it is really only about address details. So companies that collect much more and different data, of which it becomes annoying for people to have to enter it again and again, it will be much more important to do something with this right. In short: good to know that this right exists and especially check how easily you can extract technically neutral data from your database to give to your customer and take measures if necessary to make this possible.
You store data on a server. You hire a company for that: the hoster. If you work with a fulfillment company, they need the customer data to be able to send products. For example, there are more companies to whom you must provide data from your customers in order to be able to provide your services and products. That is also possible. You just have to make sure that they handle the data as carefully as you do. That is why you conclude a so-called processing agreement with them, which states, for example, how they will protect the data, what they may do with the data, when they will delete it again and how quickly they will inform you if there is a problem. so-called data breach, as a result of which personal data (possibly) ends up on the street.
Always handle the data you receive with care. Collect them via a secure connection (provide an SSL certificate for your website), only work with parties that handle the data carefully, make sure the servers where the data is stored are sufficiently secured. This means that within your company you also have to arrange well who can and cannot access that data, that the files are sufficiently secured and that not all employees and certainly no strangers can just access the data.
Incidentally, you must at all times be able to show the Dutch Data Protection Authority how you have arranged the security of the data. This is the so-called accountability.
What do you NOT need?
You don't need any registry processing activities!
If you employ fewer than 250 employees, and if you do not process sensitive personal data, you do not have to keep a register or log of how the security of the personal data is arranged and who could access that data at what time. That saves a lot of work!
The condition is that you do not build customer profiles with collected data, you do not process large amounts of personal data and you do not process personal data on a structural basis. Therefore, do not store the data of your customers longer than necessary!
No FG/DPO needed!
If you only have a webshop and do not collect any special personal data and do not systematically observe people, then you do not need a Data Protection Officer.
It all sounds very much and strict, but what it comes down to is that you must properly secure the personal data you receive, be transparent about it to the people from whom you collect the data and that you must therefore also properly register what you collect and have a plan for that.
Read the blog post ' No GDPR/AVG law stress ' here.
Read the blog post here ' Free AVG checklist (pdf) - get your webshop AVG ready '
Many thanks to Charlotte Meindersma from Charlotte's Law for this super informative guest blog. Would you like to know more about the rights and obligations as a webshop owner? Go to www.charlotteslaw.nl
Image source: Muhammad Zaqy Al Fattah on Unsplash