If you are new to The Netherlands and Europe, you may not know about the EU’s new General Data Protection Regulation (GDPR), also known in The Netherlands as AVG. GDPR has been the buzz du jour here since at least 2016 and has companies scrambling to meet strict privacy measures or risk the threat of stiff fines from regulators, loss of customers and partners, or brand damage. It’s just the early stages of an evolving space and work in progress for organizations of all sizes to improve their consumer data protection capabilities and compliance over time. While complexity and challenges are expected, it’s a positive step for digital commerce, society and the rights of individuals.
GDPR is an update to a prior EU data protection law 95/46/EC created in the 90’s when the Internet and digital commerce were just emerging. The new law which goes into effect on May 25, 2018, adapts to changing technologies and trends in digital commerce. The new law is more specific about how and when companies must report information to individuals about how their personal data is used. The information must be simple to find, read and understand, and requires organizations to be transparent and report data breaches (loss or theft). While other countries have their own privacy laws and industry regulations, the GDPR is considered to be one of the most comprehensive and robust.
Since moving back to Amsterdam and launching our office here, I’ve had a number of small business owners, ex-pats and friends ask me who’s covered by GDPR, what they should know, how their job could be impacted and where to get more information. While most hype has been around helping companies prepare for GDPR, training lawyers and data professionals or just scaring the heck out of people, I’ve seen less simple advice for individuals (“data subjects”) whose data is protected . This responsibility has been left to governments and their privacy authorities (“PA’s”) tasked with implementing GDPR regionally. I hear that there are marketing campaigns planned for news and radio but we shall see. While there’s a lot of information floating around the Internet, some good and some not, your EU member country PA’s are the definitive sources for questions and complaints. You could also speak with a privacy and compliance officer or a lawyer at your company. I’ve attended a number of conferences, seminars, webinars, talked to lawyers and data privacy officers and have done my own research and want to share some tips.
A Summary of EU Individual Rights Under GDPR
- Right to Information
- Right to Inspection, Correction, Erasure
Individuals have the right to view the personal information an organization has about them and how it is used; they do not need a reason for the request. They have the right to request correction of their personal data. They may ask to modify, supplement or shield sensitive data. People have the right to request erasure (deletion), also called “Right to be Forgotten,” also a good name for a classic alt-country song.
- Right to Restrict Processing
Individuals have the right to request that an organization or partner no longer use their personal data. A primary use case is direct marketing and unsolicited advertising. One may lodge an objection based on personal circumstances.
- Right to Data Portability
Individuals have the right to obtain and reuse their personal data for their own purposes across different IT services in a safe and secure manner. An example may be using data collected for comparison services or shopping.
- Right to Automated Decision Making and Profiling
Generally, individuals have the right not to be subject to a decision based solely on automated processing, including profiling that produce legal impacts to them without their consent or which is authorized by the member state government where the individual and or organization reside; they may request a manual review.
Who is protected by EU GDPR privacy laws?
Beyond citizens, who else is covered? Residents, visa-holders, guests, workers? The answer is GDPR applies to everyone located in the EU regardless of citizenship. Privacy and data protection are considered to be fundamental human rights, and thus apply to everyone. GDPR laws are said to be triggered when a main office (“establishment”) of an organization providing goods or services (“data controller”) or its customers (“data subjects”) are in the EU zone.
How to File a Complaint
How Does GDPR Impact Me and My Job?
If you are working with an EU company, partner or EU customers, you should learn about your company’s GDPR and privacy program. You should receive training on GDPR and basic data privacy principles such as data classification, data handling for your role and how to recognize and report a data breach. Employee training is required by GDPR. You should work with your management over time to identify how and where you may interact with personal or sensitive consumer data across your 4P’s (programs, products, process and partners). Learn how you can become a better data privacy steward and implement “privacy by design” best practices. These skills will be useful for career development and to add to your LinkedIn profile and CV.
Always Check Your Sources
It’s always good practice, especially these days, to check your information sources and get multiple opinions. Look for the author of a blog in LinkedIn or elsewhere and check their background and blog responses. Do they have experience and seem credible? Some companies will hire freelancers and copywriters with no background in legal, privacy or IT. Do you want to base your job or cross-border strategy on this advice? It depends. I don’t think anyone I’ve met claims to know everything about GDPR as this is a grand effort with details still unfolding. That said, there are some great resources to tap into so go find them.
Feel free to contact us if you have any questions. Stay Calm and GDPR On
Some Good Resources:
Here at Potentia Concepts, we provide digital privacy tools and security awareness education services to global organizations to help them meet regulatory compliance, mitigate risk and protect their brand and stakeholders from digital threats.