The exemption for companies with fewer than 250 employees appears to be interpreted strictly. As soon as there is more than occasional processing, the strict rules of the GDPR apply. And that is quickly the case if any form of customer or payroll administration is maintained. 70% of SMEs are apparently not yet ready for the GDPR…
The GDPR grants people various rights (access, erasure, data portability) and companies more obligations to handle personal data carefully. The most important thing for companies is that they:
- The processes in which personal data is processed, mapped, and assessed to determine whether this is in line with the GDPR. This is the “baseline measurement.”
- Describe the purpose. No more data should be processed per process than is necessary for the purpose. Also consider privacy by design and pseudo / anonymization.
- Basis. If you do not have a contractual or legal obligation to process the data, you must have the consent of the data subject.
- The data must be accurate (data quality).
- The data should not be retained longer than necessary. Specify retention periods and ensure that the data is (fully) destroyed in a careful (automatic) manner after the period has expired.
- Important, the processes are well secured (website, mail, platform, software as a service). Conclude data processing agreements with your service providers (involved in these processes).
What you do with the data is recorded in a privacy policy. To make it clear to customers how you handle their personal data, it is advisable to put this privacy policy on your website.
You process all these steps in the register. Tip: make sure you have at least created this privacy register by May 25, 2018.
Even if not everything is 100% in order yet, it is very important that you can demonstrate that your company has already taken steps to become GDPR compliant. That way, you will have a different conversation with the Data Protection Authority, should it unexpectedly come to that!
A practical tool to make an initial assessment of what you need to arrange is the Regulation Assistance of the Dutch Data Protection Authority:
https://rvo.regelhulpenvoorbedrijven.nl/avg/welkom
A practical tool to make an initial assessment of what you need to arrange is the Regulation Assistance of the Dutch Data Protection Authority:
With our expertise in labor law and privacy, we can quickly work with you to become GDPR-compliant.
Both Femke Luijkx and Liesbeth van Duyneveldt have completed training to become Data Protection Officers.
A practical tool to make an initial assessment of what you need to arrange is the Regulation Assistance of the Dutch Data Protection Authority:
