Impact of the GDPR
As of May 25th 2018 the General Data Protection Regulation (GDPR) or AVG, Algemene Verordening Gegevensbescherming in Dutch) will come into effect EU-wide and replace local data protection laws, such as the Dutch Data Protection Act (Wet Bescherming Persoonsgegevens, Wbp). This unified EU regulation will have a great impact on how companies handle personal data and they may face large fines if they do not comply.
So to whom does this GDPR apply?
Short answer: Everybody within the EU.
Under the GDPR, individuals or “data subjects” within the EU get clarity what happens with their personal data and rights to control their data. In addition, GDPR also addresses the export of their personal data outside of the EU area.
Companies and governmental organizations will need to implement many changes to comply.
Almost all companies collect and process (“control”) personal data. In the very least this is just their employee records and payroll administration. Of course, the impact of GDPR on certain companies will be way bigger than other companies. Many things will change especially for companies that collect and process personal data systematically, or on a large scale, such as online marketing companies, hospitals and (online) retailers.
Key changes are:
- Consent: Individuals must give their permission before their data may be processed, controllers must indicate to whom the data is shared en for what purpose;
- Purpose: Only data that has a (lawful) purpose may be collected and processed;
- Retainment: Personal data may not be stored longer than the intended purpose;
- Confidentiality: Personal data must be protected against unauthorized access or loss;
- Breach Notification: It will be mandatory to notify serious data breaches to the authorities;
- Right to Access: Individuals may ask to see what personal data of theirs is stored and for what purpose.
- Right to be Forgotten: In addition, individuals get the power to have their personal data destroyed on request;
- Data Portability: Individuals will get the right to transmit their data to another controller, for example a competing service;
- Privacy by Design: Systems must be designed with privacy and security in mind;
- Data Protection Officer: Certain organizations need to appoint a DPO.
Some of these changes were already in effect in local legislation — for example in the Netherlands, so having them all unified in a EU-wide regulation is a big step forward and is creating a level playing field within the EU.
Obviously, we take data protection very seriously at Elements. Although we already had strict privacy protocols and data processing agreements in place, we have been working on a number of changes to comply to GDPR.
First we went through a handy GDPR compliance step-by-step plan created by Bureau Brandeis (in Dutch). We soon realized that many requirements and regulations of the GDPR do not actually apply to us, since Elements does not processes personal data on a large scale. Let’s have a look at the personal data we actually collect and process.
We created a complete overview of all the personal data we collect as a processor, such as employee salary information, identification documents and home addresses of employees, job applicant résumés and supplier contact information. We concluded that the only personal data we process boils down to:
- Data from our employees (such as salary information), customers (CRM data) and suppliers (contact information);
- Data we receive from job applicants (through recruitment platform Workable), the information sent to us by email or through online forms and website visitor information (including Google Analytics, social sharing, video embeds).
- Other data, such as security camera footage.
After we knew exactly what personal data we collect as a processor, we took a closer look at the time we store this data (data retention). Some data must be destroyed after just a few weeks (for example data from rejected job applicants), while other data must to be stored for at least seven years (fiscal information).
Based on this, we updated our (HR) protocols and reevaluated the agreements and privacy policies of all of our suppliers that handle personal data of our employees (for example our recruitment platform provider, payroll company, pension plan provider, health and safety service provider, etc.).
As a subprocessor, however, Elements sometimes does work with very sensitive personal data which is collected and controlled by our clients. We are very much aware we need to handle this data responsibly and have data processing agreements in place with our clients. Employees are aware of this through clauses in employee agreements and/or the employee handbook.
We soon realized we needed to compile a central document describing all our policies and procedures regarding privacy and security. We found out that many security and privacy-related policies, procedures, protocols and regulations we already had at Elements were scattered around in various documents and agreements on several digital locations, or were not documented in writing at all.
The document covers important subjects such as security incidents management (including a data breaches protocol), business continuity procedures, physical security, information handling and regulatory requirements.
Security and Privacy By Design
This is one of the things we believe we already do at Elements. When creating applications and doing our day-to-day work, we always think how to improve security and privacy by following OWASP web guidelines, actively promoting SSL security, patching systems regularly, etc.
Even though we have security and privacy in our DNA, we felt it necessary to ensure “security and privacy by design” by formally including these topics in the design phase of our projects and involving the Data Protection Officer early in the process.
Contracts and agreements
To make sure we are complying to the GDPR, we are currently in the process of reviewing all running contracts and data processing agreements we have with our freelancers, contractors, suppliers and clients.
Post-employment reminders and anonymization
We implemented automatic email post-employment reminders to notify HR after certain years ex-employees ended their employment. In the years following the end of employment we as a employer need to destroy certain information of ex-employees. For example CVs, employee appraisals and sick leave after two years, identification after five years and salary and tax information after seven years.
In addition, we added functionality to our internal systems to anonymize and archive ex-employee’s information.
Annual Security Day
Replacing the hackathon we organized the past years, we are preparing an annual day at Elements dedicated to security and privacy. On the day, scheduled later this month, we would like to raise even more awareness of security and privacy concerns to our employees, both technical and non-techical colleagues. The exact agenda for the Security Day is to be announced.
While not strictly necessary for our type of organization, we have appointed a Data Protection Officer who acts as the to-go person regarding all security and privacy concerns at Elements.
Obviously, the next steps are to continuously improve security and data privacy and stay alert on threats and data concerns in the future.
Keep an eye on our blog for more thoughts on privacy and security.
Originally published at www.elements.nl on November 20, 2017.