Blogs from lawyers
in Amsterdam

How to become “GDPR compliant”? Here are some tips to help you on your way

How to become "GDPR compliant"? Here are some tips to help you on your way

Since the 25th of May 2018, every European business, or every company that does business in Europe and in that circumstance, processes personal data of EU-citizens, needs to be aware of the fact that the GDPR (General Data Protection Regulation) is applicable and that every processing activity you perform concerning data that can be traceable to a natural person, must be based on a legal and legitimate ground (or else you might be exposed to big fines up to €20 million or 4% of your annual turnover!). Even though such big fines will probably not happen so quickly, you should take a serious look at how you cope with data privacy rather now than when it’s too little too late. Here are 9 steps that help you on your way!

1. Legal grounds: First of all, you should be aware of what kind of data you collect, and on which grounds. The GDRP gives you six legal grounds:

  • Consent. For some types of data (explicit) consent is even obliged (for instance if you want to show photos of your employees on your website). Be aware that consent must be voluntarily granted. You must provide clear and sufficient information about the purpose of the collection and there must be given a true choice. This can be tricky in employer-employee relations and permission can always be withdrawn so only go for explicit consent when you have no other legal grounds;
  • Contractual necessity: This is quite straight forward. To perform a contract, you can’t do without the other party’s details. Just be careful about the scope of the contract and don’t go beyond that or stray away from the main purpose of the contract when collecting personal data;
  • Lawful processing on the ground of legal obligations: Sometimes there are legal obligations, for instance tax regulations, that force you to keep and store data for a certain period of time. Keep these time periods in mind;
  • Vital interests and lawful data processing: This covers situations in which the vital (almost life threatening) interests of the individual overcomes the privacy protection interests. This ground will probably not be applicable in everyday processing situations;
  • Public interest as a basis for lawful processing: This one is for official authority use. There must be clear basis in law to process data on this ground;
  • Legitimate interests: here a ‘weighing of interests’ must be made between the interests of the processor and of the natural person who’s data is being processed. For instance, when preventing fraud or when this personal data is processed by a party that secures your network etc. Processing on this ground must be proportionate, always must be explained clearly and has to be necessary. Be extra careful when processing information regarding children and be able to explain why you have fundamental legal grounds for lawful processing.

2. Data minimalization: One of the key elements of the GDPR is data minimalization. When you do need to collect someone’s data, make sure you collect only what’s necessary and for as long as necessary. Considering what you long from people when they leave their personal data and how long you really need all this information is key when becoming GDPR proof now and in the future.

3. Clarity: If you have established a ground on which you are allowed to collect data, make sure you are open and clear towards the “subject” about what you have. This must all be done in an easy accessible and clear manner. For instance, make sure you have a clearly written Privacy Policy that is easy to read and easy to find.

4. Accountability: Show you are compliant: You must be able to show (when asked by the authorities) what you have done to protect the data and that you meet all your obligations. Have all the documents required accessible and make sure your personnel knows about this too.

5. Data subjects rights: Under the GDPR, subjects have a lot of rights concerning their data and they can make requests, which you have to be able to answer! For instance, you must be able to; delete the data, alter the data, have the data be able to be transported (this is called ‘data portability’, which means that an individual must be able to reuse their personal data for their own purposes so that they can use it on different services). Data subjects also have the right of access. You must be able to comply with a request to provide access and inform the subject about everything you have from them within one month (this can be done by putting all the information you have collected in an overview).

6. Controllers and processors: Under the GDPR there are data controllers and data processors. In short, the controller determines the purpose for which the data is collected. The processor performs on behalf of the controller. A lot of services you use probably process personal data for you, for instance a website provider, the party that does you staff administration, etc. Make sure you now with whom you share data with and to enter into “processors agreements” with them!

7. Data breach notification: Data Breaches must be documented (always) and reported to the authorities within 72 hours (if the breach affects people’s rights and freedom, in which case you need to consider the likelihood and severity of any risk to people’s rights and freedoms). Not reporting when a breach occurred can result in serious fines!

8. Data Protection Impact Assessments (PIA): When the data processing entails ‘high risks’, you must perform a PIA. This should be done before processing the data. For example, when special personal data is processed, such as data on health, race, ethnic origin, or when you systematically and comprehensively assess personal details.

9. Data Protection Officer (DPO): When you are a public authority, when your core activity consists of large scale and systematic monitoring of individuals, or when you process special categories of data or data relating to criminal convictions and offences, you need to appoint a Data Protection Officer. This DPO must be independent and a expert in data protection. This can be an existing employee, but you can also externally appoint one. It can be recommendable to have a DPO even if you’re considered as one of the above in order to show compliance and accountability. 

Taking these tips into consideration, becoming GDPR compliant is quite a task. That’s where Blenheim’s Privacy Desk comes in to assist. Blenheim is experienced in making businesses of all kind GDPR compliant. Whether this means setting up your privacy structure from the ground up or assisting with legal advice on complex privacy related legal issues, we are happy to help.

Determining as soon as possible what your current situation is, which measures must be taken to be compliant and what documents need to be made to do this, is key in getting your company GDPR compliant. Blenheim can help you preparing all the needed legal documents, such as Privacy & Cookie statements, terms and conditions, and processing agreements and can also conduct privacy scans and perform risk analyses. 

Feel free to contact the Blenheim Privacy Desk and find out how we can offer the tailored assistance your organization needs.

LAW - associated firm

Together with a number of international law firms outside
The Netherlands, Blenheim is member of Lawyers Associated Worldwide.

read more

Contact form



Contact form