Implementation AVG
What will change with the AVG?
The current Personal Data Protection Act (Wbp) dates back to 1995. Much has changed since then. Technological developments make it possible to extract more information from the same data. Also, the volume of data collected and processed on a daily basis has greatly increased, and it is not always clear where that data is located, who is responsible and what rights apply. Many of the provisions in the AVG already exist under the current Data Protection Act. Nevertheless, there are significant changes. One of the most important changes in the AVG is an increase in the rights of individuals to the data collected and processed about them and that the same rights apply throughout the European Union. Other important changes are:
Changing the definition of personal data - Under the AVG, more data will be classified as personal data. Think of IP addresses, location data or identification cookies that alone or in combination are also traceable to individuals.
Consent - Under the Data Protection Act, it was already necessary for organizations to ask individuals for consent before storing and processing personal data. Under the AVG, this has been further tightened. Processing is only allowed if there is a basis and a purpose (purpose limitation). If there are not, then explicit consent must be sought.
Processing by Processor - If the processing is done by an external processor, a Processing Agreement is mandatory. Again, this is not new under the AVG. However, there are specific requirements for this processor agreement. These include the mandatory notification of incidents within 72 hours, information security requirements and the rights of data subjects.
Keeping your own register of processing operations - Companies and institutions that process personal data should keep their own records. Under the Wbp, the processing of personal data in general terms had to be reported to the Personal Data Authority, which kept a record of it. With the AVG, organizations themselves are responsible for keeping an up-to-date register. Even if the processing is done by an external processor, this should be reflected in the register.
Data subjects' rights - Data subjects' rights increase considerably under the AVG. For example, an individual has the right to inspect, the right to be forgotten, the right to take their data with them (data portability) and the right to suspend the processing of their data. Rights with quite an impact on many systems.
Appointing a Data Protection Officer - Under the AVG, companies and institutions are in some cases required to appoint a Data Protection Officer. A Data Protection Officer is mandatory if the processing of personal data: (1) is carried out by a public authority or, (2) by an enterprise with more than 250 employees or, (3) if the controller or processor is mainly in charge of processing operations that, due to their nature, scope and/or purpose, require regular and systematic observation.
Mandatory performance of PIAs - Processes involving processing of personal data should have a Privacy Impact Analysis performed. The risks of this processing should be identified and appropriate measures should be taken. Conducting PIAs, by the way, is not mandatory until May 25, 2018. Only after May 25, 2018 is it mandatory to conduct a PIA on new processes. A PIA is a form of risk analysis. It certainly can't hurt to already include the privacy risk in the risk analysis if new processes are developed. Especially if this involves processing personal data.
Information security - Personal data security is explicitly mentioned as a mitigating measure in the AVG. Information security must be in order. Appropriate technical and organizational measures should be taken. Examples include encryption of personal data, ensuring confidentiality, integrity and availability of data and regular testing of the measures taken. The importance of specific standards frameworks such as ISO 2700x, Nen7510 and Cobit are increasing as a result. Moreover, when developing new applications, the privacy of personal data should be used as a starting point (privacy by design/ by default).
Data breach notification obligation - And if it does happen that the measures taken fall short, there is the data breach notification obligation where incidents must be reported within 72 hours to the regulator Authority for Personal Data. And this mandatory notification goes a long way. Incidents in which letters with personal data have been delivered incorrectly, print outs with sensitive data that have disappeared from a printer or a memory stick with personal data that has been lost all fall under the notification obligation and must also be reported to those involved. Incidents involving external processors must also be reported by the controller within 72 hours.
Expanding fining powers of regulator - Finally, the powers of the regulator Authority Personal Data are increasing considerably. Under the WBP, AP already had the ability to issue fines. With the advent of the AVG, these fines can reach up to 820,000 euros or 4% of annual turnover, greatly increasing the risks of non-compliance for companies.
Practical, pragmatic approach
To comply with the AVG on May 25, 2018, a practical and pragmatic approach is necessary. Many approaches that can be found about this on the Internet address a number of themes. These themes also emerge in the approach we describe here. An important starting point, of course, is personal data: in which systems are they processed and stored? Through which processes does this take place? And are external processors involved? To answer these questions, we start with a baseline measurement. Through a workshop with the business, IT and procurement, a first picture is drawn of this and the delta is determined with respect to the AVG. This is also the time to set priorities.
After the baseline measurement, three parallel paths start. This is shown schematically in the figure below.
Overall trajectory - Overall, there are a number of things that, in order to comply with the AVG, need to be in place. In some cases, a privacy officer should be appointed, for example, if a company has more than 250 employees. A start should be made with a central register of processing operations. The results of the baseline measurement can be an initial input for this. The privacy policy and the privacy statement should be brought in line with the AVG and additional procedures and work instructions may need to be drafted, for example to properly handle requests by customers, right of inquiry or right to be forgotten.
System trajectory - Customer rights may impact existing systems. Can a system provide insight into the processing of an individual customer's personal data in an orderly manner? Is it possible to temporarily suspend processing? Can data be deleted in a timely manner? Does the system not store too much data? How do we register that a customer uses certain rights under the AVG? These are questions that the system trajectory must answer and whether adjustments to systems, procedure and work instructions are necessary. Information security is also an important object of investigation in this trajectory. Are the security measures taken around personal data sufficient.
Processors track - The third and final track addresses processors. The baseline measurement shows whether there are external processors involved in the various processing of personal data. In the processor track, we map out what agreements have been made with these processors. Which contracts have been concluded. Have processor agreements been drawn up and are the provisions therein sufficient for the AVG. Consider, for example, agreements on mandatory data breach notification and information security. Have all processors signed the processor agreements and are they able to comply with all agreements?
In conclusion
Chances are that the AVG will affect your organization. This is because the AVG deals with all registrations of personal data, so not only of your customers but also of your employees. And what's more, the definition of personal data has been expanded.
Complying with the AVG can be time-consuming. Especially if systems need to be modified. So don't wait too long. If your company needs support, Auditpeople can assist you.
John Storms is an independent consultant Information Risk Management
Sources:
- Whitepaper European Privacy Regulation - DeClercq.
- PWC research AVG
- Flyer AVG - Anticipating the General Data Protection Regulation - Ministry of Security and Justice
- REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
- Privacy Impact Assessment - Norea Guide - https://www.norea.nl/download/?id=522