AVG/GDPR: Reading material!

The current legislation dates from the 1995 and has been supplemented by the Personal Data Protection Act (Wbp) since 2000. Time, therefore, for an update.

The Dutch central government summarizes it as follows, from a consumer perspective (1);

Safe online and e-privacy

The central government wants everyone to be able to use the Internet safely. And that companies and organizations protect personal data properly. Therefore, global agreements are needed for the use of online services.

Conditions protecting digital personal data
To protect personal data, Internet services must meet certain conditions:

• Consumers have and maintain control over the use of their personal data.
• Consumers receive full information about the processing of their data.
• Companies must properly secure personal data from the start of their services.

Protecting digital privacy
In 2013, the Cabinet gave its vision of digital privacy in the Cabinet vision of e-privacy. Companies are increasingly using profiling. That is the targeted online approaching of target groups. The Personal Data Protection Act regulates the safe and careful use of personal data. But because the Internet crosses borders, international agreements are needed.

European agreements on the use of personal data
The Data Protection Regulation of May 5, 2016 must be implemented within 2 years. This improves end-user rights. And it protects the end user through the following measures:

• Consumers "may be forgotten. That means they can have certain data removed from a website.
• Consumers have the right to a copy of their stored data.
• Consumers may refuse consent to profiling, the targeted collection of online data.
• Consumers must be given understandable and accessible information about the processing of their personal data.

Sounds all super-reasonable, and as private individuals, we ourselves are happy with this.

In short, where previously it was sufficient to properly secure personal data, now you must

• Clearly show what your policy is, and not in mumbo-jumbo legal language but readable and understandable.
• Explicitly ask permission to process personal data, use it only for those purposes, track it and don't store it longer than necessary.
• If you process a lot of data and/or your company profiles people, you may need to have a data protection impact assessment (DPIA) done
• Reporting (still) if there has been a data leak.
• Tightening up cookie notification (we are moving to European rules!)

You may be an administrator yourself and/or work with a processor of (sensitive) personal data (2)

Administrator
A data controller, alone or jointly with others, determines the purposes and means of processing personal data. These controllers bear primary responsibility for compliance.
Chances are that's you.

Processor
A processor is any entity that processes personal data according to the data controller's instructions. This often requires you to enter into a processor agreement.

Processor agreement
If you store and process personal data for a customer, there should always be an agreement between you and the customer that sets out the agreements and obligations on a reciprocal basis.

in this so-called processor agreement it is agreed

• the purposes for which you will process the data,
• the means by which you will process the data,
• to whom you may hand over the data,
• which security measures you have taken (or will take) to secure the stored data,
• how the control and correction rights of the data subject will be fulfilled,
• that the customer indemnifies you against claims by third parties in relation to the personal data.

Personal data:
E.g. Name, Address, E-mail, Photo, IP address, Location data, Online behavior (cookies), Profiling and analytics data.

Sensitive personal data:
E.g. Origin, Religion, Political affiliation, Trade union membership, Sexual preference, Health information, Biometric data, Genetic data.
Stay away from this if you can.

The government has set up a section in their site on this topic, where you can read more. A few things that caught my eye. But there are some ifs and buts to everything ;)

Do some reading yourself:

Do the rules apply to SMEs?
Yes, The application of the Data Protection Regulation does not depend on the size of your company, but on the nature of its activities. But companies with fewer than 250 employees, for example, do not have to keep records of their processing activities. They also do not have to appoint a data protection officer if processing is not their main activity.

Do data protection rules apply to data about a company?
No, the rules only apply to personal data about individuals, they do not regulate data about companies or other legal entities. However there are places where it gets vague in terms of e.g. contact details of an individual.

Make a list of where this data (or parts of it) might be: online, on your system, but also backups. Perhaps clean up your (old) data of (old) users? Do you still need data at all, and that source file too? Is it really necessary to be able to trace that Excel sheet back to the person behind it? Anonymization is of course a good option.

We can draw up a Collaboration Agreement with you if your site processes personal data (contains forms and/or has a login option). We must then define what we are allowed to see/use that data for.

Also, if we sometimes analyze your Google Analytics data for you or segment Mailchimp mailings for you, we need to document that as well.

You may well need to amend (or have amended) your privacy statement slightly. And let your users know this.

When using forms, think again about what you are asking for and whether that same goal can be achieved with less data:

• Is that date of birth really necessary or can you get by with a year or perhaps a breakdown by 5 years is sufficient to segment.
• Are you going to send someone mail? If not, you don't need an address.
• Refer clearly to where your privacy agreement is, and make sure it is clear who people can contact about this. (also newsletter subscription)

And oh yeah: Cookie notifications. We are moving to European legislation, which is a bit stricter. Below are links with information to that end.

• All articles on GDPR/AVG at Marketingfacts (highly recommended)
• An AVG checklist at marketingfacts.co.uk
• Personal Data Authority: Cookies
• Authority Consumer and Market: Cookies
• Frankwatching: Cookie law changes in 2018 & these are the implications for your website
• GDPR Requirements in Plain English (Super extensive!)
• How Hotjar handles the transition, example
• "Data protection impact assessment (DPIA)"
• "What is GDPR? WIRED explains what you need to know"
• "EU GDPR and personal data in web server logs" by "The quite technical blog of Daniel Aleksandersen, a specialist in obscure details based in Oslo, Norway."
• New EU law prescribes website blocking in the name of "consumer protection"
• 12 common GDPR myths - Brainsum

• Rijksoverheid.nl: Safe online and e-privacy (1)
• F-Secure: Common GDPR terms explained (2)