Why the GDPR / AVG really matters
The General Data Protection Regulation (GDPR) will be effectively enforced throughout Europe from 25 May 2018. Officially adopted in April 2016, the AVG is applicable to all companies, both small and large, not only for companies with more than 250 employees, as is often thought. The GDPR regulates the protection of personal data by giving it the status of a fundamental human right. iTRACTION helps both small and large companies with the complex legislation of GDPR through advice and implementation.
The GDPR is the result of almost three years of intensive meetings of EU parliamentarians, more than 4000 amendments and endless meetings with lobbyists, until the Council of European Ministers finally adopted the Regulation in April 2016. MEPs Jan Philipp Albrecht, together with Ralf Bendrath and Viviane Reding are the initiators. In 2015, the film Democracy by director David Bernet was released about this long bureaucratic path. A fascinating insight into the democratic process in the EU and the passion of Albrecht and Reding, among others.
Where to start?
If you study the 99 articles and 173 recitals of GDPR Regulation 2016/679, you’ll notice what the result was of the long democratic process of participation. Complex, rather vague wording and virtually nowhere specific instructions. Only the fines are crystal clear: up to EUR 20M or 4% of worldwide turnover, whichever is higher. Through the so-called Working Party Guidelines, efforts have been and are still being made to provide more tangible information, but it’s not enough. A reference to something more concrete like an ISO (NEN) standard, for example, is rare.
So where to start? We can distinguish four steps: Discovery, Management, Protecting and Reporting. GDPR is about making the risks of collecting personal data transparent and, if necessary, providing a solid basis for this by means of a DPIA (Data Protection Impact Assessment, also called PIA). Essential to the GDPR is that every company must be able to demonstrate that they are accountable and compliant with the GDPR. They are obliged to demonstrate their accountability as soon as the regulator requests them to. In daily practice, this means, for example, that if complaints about a company are received by the regulator, they may ask for a processing register, for example. The processing register is one of the basic documents of the GDPR and is the place where a company records, among other things, which personal data it processes.
Interested in how we can help your company become GDPR compliant? Do you want to start by setting up the processing register? Or do you think your company might need a PIA assessment? Call +31 36 536 5367 888 or contact us.