On May 25, 2018, the General Data Protection Regulation (GDPR), the new European data protection law, enters into force. The new law tightens the rules under the current Personal Data Protection Act, and also adds some new obligations. The GDPR introduces some key principles regarding the processing of personal data:
- personal data must be processed in an appropriate, legal and transparent manner;
- personal data may only be processed for a specific, explicitly defined purpose;
- only personal data that are necessary for the purpose can be designed
- data must be correct and up-to-date;
- if identification is no longer necessary for the purpose, the personal data must be deleted or anonymized, and;
- personal data must be secured through technical and organizational measures.
- Organizations must be able to demonstrate that they comply with all GDPR obligations. Consider, for example, authorization, provided information, rights of data subjects, data security, minimization of processing and agreements with processors.
While organizations have a lot to do with personal data, the requirements that IT systems must meet to comply with the GDPR are of crucial importance. Often, different types of systems occur; external supplier systems (packages), customized systems (developed in-house) and generic systems (used organization-wide, not only within the own division).
The approach differs according to the type of system. For applications / systems that are fully involved with an external supplier, the responsibility for GDPR compliance involves the responsibility of that supplier. However, the organization using these systems is ultimately responsible.
The supplier provides the expected changes and the business analyst determines together with the stakeholders within the division whether the proposed changes are sufficient, it is also determined whether there is an impact on the rest of the chain and how big is the impact.. Requirements systems are developed for the customized systems and changes are collected and implemented within the IT departments. For the generic systems, the adjustments are not made within the own domain, the requirements are drawn up and passed on to the departments where the generic systems have to be modified.
In addition to drafting the requirements and determining the impact, is the organization of the processes surrounding the GDPR also crucial. Implementation of new processes (how does a request come in from a data subject that invokes one of the GDPR rights and how is it handled and documented?) All relevant existing processes must be screened and if necessary adapted to the GDPR requirements. .Privacy Impact Assessments (PIA) can be very helpful and should be widely implemented within the organization. These PIAs show what personal data are being processed for what purpose and which risks are present. These risks must be mitigated by taking control measures.
In consultation, net risks are determined. The starting point here is that risks were identified at the beginning of the project, measures were determined for these risks. Once the measures are implemented, the net risk remains. This risk is determined for acceptance by the management.
Finally, the formulation of the policy is crucial as the decision-making is linked to the implementation of control measures. Examples are: “how do we want the processes related to the GDPR rights look like” and “how do we handle the administration of privacy sensitive data”? Input is needed from the entire organization and concerns business, IT, legal, Risk and Compliance. Workshops and information sessions are very useful and crucial.
André van Diermen