'Implementing AVG: a practical approach' Interesting!

On Nov. 2, AuditPeople held an event for Auditors, Risk Managers and Compliance Specialists. The event was titled, "Implementing AVG: A Practical Approach. This article will summarize all the topics discussed at the event. As well known by now, the General Data Protection Regulation (GDPR), known in Europe as: General Dataprotection Regulation (GDPR), will replace the current Personal Data Protection Act (Wbp) as of May 25 of this year. During the event, participants were taken into the world of the differences between the Wbp and the AVG and the implementation of the AVG by John Storms and Margreet Löwik. John and Margreet deal with the implementation of the AVG in their daily work.

First, the event discussed why the AVG is being introduced. The current Wbp dates back to 1995, which is quite some time ago. Especially in view of the technological developments that have taken place since 1995. Thanks to these developments, such as mobile devices and the Internet of Things, we are leaving more and more data in more and more different places. This raises the following questions: "Where does this data end up?", "What happens to this data?" and "Are they properly secured?". Finally, there are more frequent incidents of data leaks these days; this has been a reason for the European Union to develop new legislation.

Next was a focus on the differences between the Wbp and the AVG. Some of the differences discussed were:

• Expanded powers of supervisor - The investigative powers of the supervisor have been expanded, for example, it now has access to all processing of personal data and may conduct audits. In addition, the power to impose fines has been increased.
• Role of data protection officer - Even with the PDPA, there was already an officer. However, with the AVG, the role of the officer is expanded, increasing the demonstrability of compliance.
• Changed definition of personal data - The definition of a personal data has been broadened, resulting in more data falling into the category of personal data. An example of new personal data is an IP address.
• Legal basis or consent required for processing - Within the AVG, it is important that the customer gives consent for an action involving personal data by a clear, active action. In addition, withdrawing consent must be as simple as giving consent.
• Stricter requirements processor agreement - Within the AVG, the processor agreement (an agreement entered into with parties who process data for an organization) is not new, there are just stricter requirements for this agreement. An example: a data leak must be reported within 72 hours.
• Maintain own register - Under the Wbp, a register of processing operations was managed by the Personal Data Authority; under the AVG, this responsibility lies with the controller, i.e. organization, itself.
• Adding additional rights of data subjects - One of the important changes: 'the right to erasure of data', this includes being able to prove to a data subject that all data has been erased. Some of these rights conflict with other laws.

Finally, the event also focused on the implementation of the AVG. It is important to use a phased approach, for example, start first with a GAP analysis: 'where are the processing operations within your company with sensitive data?' To gain this insight, John indicated in his presentation that a good starting point of the implementation can be to maintain your own register of personal data processing. After all, this register keeps track of all processing operations. Also, there is currently tooling available that can help obtain this overview. During the presentation, the tool PrivacyPerfect was discussed.

Once this insight is gained, what-if scenarios can be used, making it possible to gain very concrete insight into, for example, the consequences of the various rights of data subjects. These scenarios can then be the starting point for further development of policy regarding the processing of personal data.

Apart from these different phases during the implementation of the AVG, it is important to have the full commitment of the organization's Board of Directors. Thanks to the fact that with the implementation of the AVG, many organizations are actually also playing catch-up with the Wbp, many choices need to be made quickly. Experience shows that this is easier with the commitment of the Board of Directors.

John Storms has written previously about the implementation of the AVG. Read his full article here: https://www.auditpeople.nl/nieuws/implementatie-avg/.

Clarissa van der Most. Clarissa is an audit trainee at AuditPeople.

ARC People connects three strong labels: AuditPeople, RiskPeople and CompliancePeople. Each of these labels focuses on its own specialized field. Clients are provided with the right people and knowledge from those specialties. www.arcpeople.nl