The General Data Protection Regulation (AVG) applies as of May 25, 2018 and brings changes compared to the current legislation (Personal Data Protection Act). For example, the AVG puts more emphasis on the rights of data subjects and the (much more far-reaching) obligations of the person processing personal data. How can you prepare your organization for the AVG now? Below you will find a checklist for that purpose, which you can go through step by step.
download infographic
1. Knowledge about the AVG
Make sure the right people within your company or organization are aware of the new regulations. They should assess the implications and identify which departments/work practices may be in violation of the AVG.
2. Documentation requirement
Under the AVG, a company or organization must prove that it is in compliance with the AVG. So carefully map out what personal data you keep within your company or organization, where it comes from and with whom you have shared it.
You would do well to record all processing within your company or organization. This can then be of the entire company or only of certain departments, if the processing of personal data is limited to that.
3. Inform
When your company or organization processes personal data, you must provide the data subject(s) with certain information, such as the identity and contact information of your company or organization, the purposes for which the personal data are intended, and how the data are processed.
From now on, you will also have to disclose the legal basis for the data processing, how long the data is kept and whether the data is exchanged with organizations outside the European Union. The AVG requires this information to be provided to the data subject in concise, understandable and clear language.
4. Rights of the data subject
Among other things, the AVG provides the following rights for the data subject:
- Obtaining information about and access to personal data.
- Making a request for correction or deletion of personal data
- Objecting to the processing of personal data
- The right to transfer the personal data to another person
So you should check whether the current procedures in your company or organization safeguard the data subject's rights, including how personal data can be deleted or how the data are processed electronically.
5. Legal basis for processing personal data
Document the various data processing operations your company or organization performs and determine if there is a basis for them. Many companies and organizations may not have a basis (established) for the data processing they perform. Without a basis, personal data may not be processed.
6. Consent
Check how your company or organization seeks, obtains and records consent. Consent must be free, specific, informed and unambiguous. Thus, consent cannot be inferred from silence, a pre-checked box, or inaction by the data subject. As a company or organization, you must be able to prove that consent was given. The data subject must be able to withdraw a given consent as easily as giving it.
7. Children
The AVG provides special protection to children's personal data, especially in the context of commercial Internet services such as social networks. So if your company or organization collects data from children - anyone under the age of 16 - a parent or guardian must consent to the processing of that personal data.
8. Data breach
A data breach refers to a security breach that accidentally or unlawfully results in, for example, loss or unauthorized access to personal data. You must document all data breaches, report them to the Personal Data Authority and any data subject(s). With this documentation, the Personal Data Authority can subsequently verify whether you have complied with the reporting obligation.
9. Data protection impact assessment
This allows you to identify in advance the risks of processing personal data in order to reduce those risks. A Data Protection Impact Assessment is only necessary if the processing of personal data by your company or organization may involve a high risk. You can also discuss this with the Personal Data Authority.
10. Privacy by design and default
When designing services and products, you must ensure that personal data are protected (privacy by design). In addition, you should take measures to ensure that your company or organization only processes personal data that is necessary to achieve a particular purpose (privacy by default).
11. Data Protection Officer
If necessary, appoint a data protection officer to oversee compliance with the AVG. This is mandatory, for example, for government organizations or companies or organizations engaged in processing that requires regular and systematic observation of data subjects on a large scale.
12. International
If your company or organization operates internationally, you must determine which supervisory authority you are subject to. This is usually the authority of the country where the company or organization has its headquarters or is the location where decisions regarding data processing are made.
13. Contracts with third parties
If you outsource your data processing to a third party, you must make arrangements with that third party that are recorded in a processor agreement. These agreements must comply with the AVG. If you already have an agreement, but it does not comply with the AVG, then you must adapt it to the requirements in the AVG.
