19 Apr 10 Steps to get ready for the New AVG (privacy law)
General Data Protection Regulation (AVG) is a regulation in EU law on protecting data and privacy for individuals within the European Union. Since the new GDPR (AVG) will take effect from 25 May, 2018, an organization will have more obligations. Industries dealing with personal data of their clients will get most influenced. For example, e-commerce companies need to be careful when making use of customers’ personal preferences. For recruitment companies and shipment companies, it is important to safeguard clients’ personal information, such as address and phone number. Be aware that the Dutch Data Protection Authority (AP) can impose fines on your organization, amounting to 20 million euros or 4% of the annual turnover if you don’t comply with the new AVG. To help companies get ready in time for the new AVG, the step-by-step plan provided by AP for the implementation of the privacy rules will be explained as following:
Step 1. Awareness
Be sure that the relevant people such as policy makers in your organization are familiar with the new rules and adjustments. Please note that the implementation can take quite a few manpower and resources.
Step 2. Rights of data subjects
Data subjects (the individual to whom particular personal data is about) will have more privacy rights. You must ensure that people can exercise their privacy rights well. For instance, their right of access, correction and removal, as well as the right to data portability.
Step 3. Overview of processing
For the personal data you process, make sure you clearly document the purpose of use, source of the data and with whom the data is shared. You must be able to show that your organization is acting in comply with the AVG.
Step 4. Data Protection Impact Assessment (DPIA)
Under the AVG, you can be obliged to carry out a data protection impact assessment (DPIA), which is an instrument to map the privacy risks of a data processing system in advance. Then take measures to reduce the risks. When your intended data processing seems to involve high privacy risk, you must perform such a DPIA.
Step 5. Privacy by design & privacy by default
This means that you should make sure that personal data are properly protected when designing products and services. Also, you only collect data that is necessary for the specific purpose of processing.
Step 6. Data protection officer
Under the AVG, organizations may be required to appoint an official for data processing (FG). For example, an organization with more than 250 employees is obliged to appoint a Data Protection Officer.
Step 7. Reporting duty data leaks
The AVG sets stricter requirements for the registration of data leaks that have occurred in your organization. All data leaks must be documented.
Step 8. Processor agreements
If you outsource your data processing to a third party, you need to assess whether necessary changes are needed for the contracts in order to comply with the requirement set by the AVG .
Step 9. Leading supervisor
If your organization have branches in several EU member states, you only need to do business under the AVG with one privacy regulator.
Step 10. Permission
Stricter requirements are imposed on your organization when asking for consent of a person to process his data. You need to have valid permission from people to process their personal data.
It is a great challenge to find the balance between the use of personal data and privacy protection in the digital age. Be well prepared for the new AVG is beneficial for your organization. For more information about the new AVG, please do not hesitate to contact us.