Getting started with the new privacy laws!

From May 25, 2018, the General Data Protection Regulation (hereafter AVG) will apply throughout Europe. Among other things, this new law strengthens the rights of data subjects, such as customers and employees, and creates more obligations for organizations that process personal data.

What is personal data?

Personal data is said to exist when a particular person can be directly or indirectly identified from that data. Almost every organization in the retail industry will therefore have to deal with this new legislation, just think of recording data of customers who buy a product in your store, such as a name and an email address or storing employee data. As of May 25, 2018, the Personal Data Authority (hereinafter AP) will enforce more strictly and can impose hefty fines if a company or organization fails to comply with its obligations under the AVG. Data subjects can also go to court and claim damages for unlawful processing of their personal data. So it's high time to get started and see where you stand!

What can you do?

The new privacy laws impose firm conditions on the processing of personal data. One of those conditions is that there must always be a basis for that processing. It is therefore important to first map out what personal data you process within your organization and for what purpose. In your case this will probably include customer data (such as name and address details, e-mail addresses and payment details), contact details of your supplier, as well as employee data (such as name and address details, copy of ID, bank account numbers and gender). The basic principle is that personal data may only be processed for predefined purposes and that no more data may be processed than is strictly necessary to achieve that purpose. You must avoid storing all kinds of data that you do not actually need. Therefore, for each processing of personal data, ask yourself for what purpose you are processing this data and whether it is necessary to process this data. For example, a customer's e-mail address may be used to send newsletters about similar products. However, a direct e-mail address of an individual (both business and personal) who is not a customer may only be used for direct marketing activities if explicit consent has been given. Also, in view of privacy laws, it is important to consider whether the same goal can be achieved by a less intrusive means. Consider, for example, the prevention of theft by your employees: you can hang cameras that focus only on the cash drawer instead of on the face of the employee in question. In this way, the invasion of privacy remains as limited as possible. Here, it also applies that data should not be kept longer than necessary.

Organizations must be able to demonstrate compliance with the AVG. Therefore, ensure that the right people within your organization are aware of the new privacy rules and make an assessment of what adjustments are needed to comply with the AVG. It is also important to take sufficient technical measures to secure personal data. Important here is who within the organization has access to the personal data (access controls), whether those involved can easily view or change their data, and whether the network is sufficiently secured.

Once you have mapped out what personal data are collected, processed and for what purpose, it is possible to determine on this basis what further steps your organization will need to take and what obligations your organization has. Examples include drafting a privacy statement for your customers and relations, keeping a processing register, concluding processing agreements with third parties to whom you make the personal data available, and drafting or adjusting your personnel policy. In any case, you must prevent the unjustified processing of all kinds of personal data when it is not actually necessary. Awareness and understanding of the personal data you process is the first step!