Time for a privacy update

It has now been almost four years since the General Data Protection Regulation (‘GDPR’) came into effect. Organisations were required to have brought their business operations into line with the principles and requirements of the GDPR by the date of entry into force – 25 May 2018.  

The Dutch Data Protection Authority ('AP') was given the authority to impose high fines for violations. Reason for many companies at the time to set up GDPR teams and to carefully examine the processing of personal data within the company.  

 However, it can do no harm to once again pay attention to the requirements and obligations of the GDPR within your company. Is the inventory of personal data processing that takes place within your organization still correct and are the processing register and your privacy procedures still up-to-date or do things need to be supplemented or changed in the meantime? Are the security measures taken still appropriate or do they now need to be adjusted given the current state of the art?  

 A careful, safe and GDPR 'compliant' processing of personal data deserves regular attention and is a continuous process. FHI has a number of standard privacy documents and examples made available that can be used for this purpose.  

 The privacy step-by-step plan provides a clear guideline that FHI members can use to get their organization ''AVG-proof' to set up and maintain.  

• The inventory of the various personal data processing operations that take place within an organization and the legal basis that the organization has for this, must be recorded (or updated) in a data processing register. A model for this can also be found on the website. 
• This inventory then serves as a basis for further developing the privacy policy and for complying with the obligations under the GDPR.  

• Once a thorough inventory of personal data processing has been made, it is then relatively easy to draw up privacy statements with which your relations and employees must be informed. 
• Finally, the inventory serves as a basis for drawing up or updating various privacy procedures and provides tools for recording the privacy policy applicable within the company.  

 If you have any further questions about the GDPR and the obligations that arise from it for your organization, as a result of this message or the documents made available, please contact Lise van den Heuvel (06-234 922 48 /l.van.den.heuvel@vestius.com) from our FHI-Advice partner Vestius Advocaten.