Privacy legislation and the General Data Protection Regulation (GDPR)
In May 2018 the new European privacy regulation comes into force: the General Data Protection Regulation. From that moment onwards all organisations processing personal data are obliged to satisfy the new privacy regulation.
Why the General Data Protection Regulation?
The European Privacy Directive of 1995 gave Member States room to develop their own privacy legislation. This resulted in differences between the legislation of the different countries. The General Data Protection Regulation was devised to standardise the legislation internationally. The GDPR therefore replaces the Dutch Personal Data Protection Act (WBP).
To whom does the General Data Protection Regulation apply?
The new privacy regulation applies to all organisations processing personal data in business transactions. The GDPR also applies to companies that exchange personal data between them where this involves automated personal data processing. This includes outsourcing of salary administration or external hosting of websites or applications.
What changes with the new privacy legislation?
The GDPR introduces a number of new obligations. Some of these changes are noteworthy.
- The compulsory execution of a Privacy Impact Assessment when personal data is processed which entails large privacy risks;
- Privacy by Design where companies already embrace privacy protection in the design phase of a product or service, or Privacy by Default, where the standard is set at maximum privacy protection;
- Documentation requirement for personal data processing, a change of the notification requirement under the current WBP;
- The preservation of the notification duty in case of data leaks, but with a lowering of the threshold.
How can you prepare for the GDPR?