Has COVID-19 made local government less cyber secure?
The General Data Protection Regulation (GDPR) provides for sky-high fines for organisations that are careless when handling personal data. What essential measures can you take immediately to prevent such a fine?
The GDPR (General Data Protection Regulation) has come into effect, also known in the Netherlands as AVG (Algemene Verordening Gegevensbescherming). The now rapidly approaching deadline is causing consternation to more and more organisations. After all, the law entails a large number of requirements and obligations, and also provides for high fines for organisations that do not succeed in meeting them on time.
Recently I spoke about this with Ans Duthler of Duthler Associates, which advises companies in this area. One of the first recommendations that she gives to clients is not to regard the new legislation as a nuisance. This is because the GDPR is primarily an opportunity to get your own data management in order. In this way you place the interests and (privacy) rights of the customer, citizen or patient even more emphatically at the heart of the organisation.
An important first step in this approach, according to Duthler, is the appointment of a Data Protection Officer (DPO). He or she can act as an 'quartermaster', monitoring compliance with the new law. He or she arranges for the required road map to be drawn up and rolled out. Small organisations can hire an external advisor independently or in groups, for example through a trade association.
An important theme within the GDPR is accountability. Organisations must be able to show exactly which personal data they store and for what purpose. This requires setting up of a detailed privacy log, in which all choices made within the organisation in the context of the GDPR are recorded. A good starting point for this administrative record is a detailed 'baseline measurement' of the current state of affairs.
Baseline measurement as starting point
This is because few organisations know exactly which personal data they collect, where they store them and with whom they share them. Another aspect is that the organisation must be able to demonstrate that the use of this data is really necessary. It is very likely that this baseline measurement will yield a large number of concrete action points, on which the quartermaster can get started straight away.
A baseline measurement is also a good starting point for the necessary awareness process among your own employees (including the management!). With every new action involving personal data, they have to automatically ask themselves a number of critical questions. To stimulate awareness within the organisation, a quartermaster can organise workshops or online seminars. Or deploy supportive privacy tools, for example.
Never 100% GDPR-proof
These measures must, of course, also be included in the new privacy records. Given the broad scope of the new GDPR legislation, and the involvement of humans as an unpredictable factor, the '100% GDPR-proof' organisation is a utopian dream. However, according to Duthler, an organisation that can show that serious work has been done on meeting the legal obligations can assume that any data breach will not lead directly to a high fine.
Not wanting to have to pay a fine is therefore not the main reason why you should embrace the new law. Privacy is an increasingly important issue for the customer, citizen or patient. Organisations that make them feel that their sensitive personal data are in good hands will soon have a head start on the competition. The new law thus offers a great opportunity for organisations to distinguish themselves as reliable and customer-oriented.
So start with the baseline measurement as quickly as possible, determine action points and look for supporting software that helps you tackle this as effectively as possible. In the unlikely event that something nevertheless goes wrong, you can immediately prove that you have taken proper measures to prevent a data leak and to limit the possible consequences as much as possible.
Checklist GDPR Compliance
This blog gives you an idea of what to expect. Now it is high time to take action. Our checklist describes exactly the steps you need to take to achieve GDPR compliance. The document addresses in greater detail matters such as drafting a processor's agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.