What the General Data Protection Regulation (GDPR) means for your company
Privacy is a very big deal nowadays, especially since worldwide massive digitalization happened. The way our data is handled needs to be supervised and regulated in order to prevent certain individuals from misusing or even stealing it. Did you know that privacy is even a human right? Personal data is extremely sensitive and prone to misuse; therefore, most countries have adopted legislation that strictly regulates the usage and processing of (personal) data. Next to national laws, there are also overarching regulations that influence national legislation. The European Union (EU), for example, implemented the General Data Protection Regulation (GDPR). This regulation came into force in May 2018, and applies to any organization that offers goods or services on the EU market. The GDPR applies even if your company is not based in the EU, but at the same time has customers from the EU. Before we get into the details of the GDPR regulation and its requirements, let's first clarify what the GDPR aims to achieve and why it's important to you as an entrepreneur. In this article, we will thus explain what the GDPR is, why you should take appropriate actions to comply, and how to do this in the most efficient way possible.
What exactly is the GDPR?
The GDPR is an EU regulation that covers the protection of the personal data of natural citizens. It is therefore solely aimed at the protection of personal data and not professional data or the data of companies. On the official website of the EU, it is described as follows:
“Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The corrected text of this regulation was published in the Official Journal of the European Union on May 23, 2018. The GDPR strengthens citizens' fundamental rights in the digital age and promotes trade by clarifying the rules for businesses in the Digital Single Market. This common set of rules has eliminated the fragmentation caused by divergent national systems and avoided red tape. The Regulation entered into force on May 24, 2016 and has been in effect since May 25, 2018. More information for companies and individuals.”
It is basically a means to ensure that personal data is handled safely by companies that need to handle data due to the nature of the goods or services they offer. For example, if you order a product on a website as an EU citizen, your data is protected by this regulation because you are based in the EU. As we explained briefly before, the company itself does not need to be established in an EU country to fall under the scope of this regulation. Every company that deals with customers from the EU needs to adhere to the GDPR, ensuring the personal data of all EU citizens is protected and safe. This way, you can rest assured that no company will use your data for other purposes than those specifically stated and outlined.
What is the specific purpose of the GDPR?
The main purpose of the GDPR is personal data protection. The GDPR regulation wants all organizations, large and small, including yours, to think about the personal data they use and be very thoughtful and considerate about why and how they use it. Essentially, the GDPR wants entrepreneurs to be more aware when it comes to the personal data of their customers, staff, suppliers, and other parties they do business with. In other words, the GDPR regulation wants to put an end to organizations that only collect data about individuals because they are able to, without sufficient reason. Or because they believe they can somehow benefit from it now or in the future, without much attention and without informing you. As you will see in the information below, the GDPR actually doesn't really prohibit much. You can still participate in email marketing, you can still advertise, and you can still sell and use the personal data of customers, as long as you provide transparency on how you respect the privacy of individuals. The regulation is more about providing sufficient information about the way you use the data, in order for your customers and other third parties to be informed about your specific goals and actions. This way, every individual can provide you with their data based on informed consent, at the very least. Suffice to say, you need to do as you say and not use the data for other purposes than what you stated, since this might result in very hefty fines and other consequences.
Entrepreneurs to whom the GDPR applies
You might ask yourself, "Does the GDPR also apply to my company?" The answer to this is fairly simple: if you have a customer base or personnel administration with individuals from the EU, then you process personal data. And if you process personal data, you must comply with the General Data Protection Regulation (GDPR). The law determines what you can do with personal data and how you must protect it. It is therefore always important for your organization, as it is mandatory for all companies dealing with EU individuals to comply with the GDPR regulation. All of our professional and personal interactions are increasingly digital, so considering the privacy of individuals is simply the right thing to do. Customers expect their beloved stores to handle the personal data they provide with care, so having your own personal regulations regarding the GDPR in order is something you can be proud of. And, as an added bonus, your customers will love it.
When you handle personal data, according to the GDPR, you are almost always processing this data as well. Think of collecting, storing, modifying, supplementing, or forwarding data. Even if you create or delete data anonymously, you are also processing it. Data is personal data if it concerns people that you can distinguish from all other people. That’s the definition of an identified person, which we will discuss in detail later in this article. For example, you have identified a person if you know their first name and last name, and this data also matches the data on their officially issued means of identification. As an individual involved in this process, you have control over the personal data you provide to organizations. First of all, the GDPR gives you the right to be informed about the specific personal data that organizations use and why. At the same time, you have the right to be informed about how these organizations guarantee your privacy. In addition, you can object to the use of your data, request that the organization delete your data, or even request that your data be transferred to a competing service. So, in essence, the individual to whom the data belongs chooses what you do with the data. This is why you need to be meticulous as an organization with the information you provide regarding the exact use of the personal data you acquire, as the individual the data belongs to needs to be informed about the reasons their data is processed at all. Only then is an individual able to decide, whether you are using the data correctly.
Which data is involved exactly?
Personal data plays the most important role within the GDPR. Protecting the privacy of individuals is the starting point. If we read the GDPR guidelines carefully, we can divide data into three categories. The first category is about personal data specifically. This can be categorized as all information about an identified or identifiable natural person. For example, his or her name and address details, e-mail address, IP address, date of birth, current location, but also device IDs. This personal data is all information by which a natural person can be identified. Note that this concept is interpreted very broadly. It is certainly not limited to a surname, first name, date of birth, or address. Certain data - which at first sight has nothing to do with personal data - can still fall under the GDPR by adding certain information. It is therefore generally accepted that even (dynamic) IP addresses, the unique number combinations with which computers communicate with each other on the internet, can be regarded as personal data. This must, of course, be considered specifically for each specific case, but consider the data you process.
The second category is about so-called pseudo-anonymous data: personal data processed in such a way that the data can no longer be traced without the use of additional information, but still makes a person unique. For example, an encrypted e-mail address, user ID, or customer number that is only linked to other data via a well-secured internal database. This also falls within the scope of the GDPR. The third category consists of entirely anonymous data: data where all personal data that allows trace back has been deleted. In practice, this is often difficult to prove, unless the personal data is traceable in the first place. This is therefore outside the scope of the GDPR.
Who is qualified as an identifiable person?
It can sometimes be a bit difficult to define who falls under the scope of an ‘identifiable person’. Especially since there are many fake profiles on the internet, such as people with fake social media accounts. In general, you can presume that a person is identifiable when you can trace back their personal data without too much effort. Think, for example, of customer numbers that you can link to account data. Or a phone number that you can easily trace, and thus figure out to whom it belongs. This is all personal data. If you seem to have problems identifying someone, it is necessary to do a bit more research. You can ask the person for a valid form of identification, just to be sure you know who you are dealing with. You can also look in verified databases to acquire information regarding someone’s identity, such as a digital telephone book (which actually still exists). If you are unsure whether a customer or other third party is identifiable, try to contact that customer and ask for personal data. If the person doesn’t answer your query, it’s generally best to delete all the data you have and discard the information you were provided with. Chances are, someone is using a fake identity. The GDPR aims at protecting individuals, but you as a company also need to take appropriate steps to protect yourself from fraud. Unfortunately, people are able to use fake identities, so it’s important to be vigilant about the information people provide. When someone uses someone else’s identity, this might have serious repercussions for you as a company. Due diligence is advised at all times.
Legitimate reasons to use third-party data
A main component of the GDPR is the rule, that you should only use third-party data for specified and legitimate purposes. Building on the requirement of data minimization, the GDPR prescribes that you may only use personal data for a stated and documented business purpose, supported by one of the six available GDPR legal bases. In other words, your use of personal data is limited to a stated purpose and legal basis. Any processing of personal data you undertake must be documented in a GDPR register, along with its purpose and legal basis. This documentation forces you to think about each processing activity and carefully consider the purpose and legal basis for it. The GDPR enables six legal bases, which we will outline below.
- Contractual obligations: When entering into a contract, personal data must be processed. Personal data may also be used when exercising a contract.
- Consent: The user gives explicit permission for the use of his/her personal data or the placing of cookies.
- Legitimate interest: Processing of personal data is necessary for the purposes of the legitimate interests of the controller or a third party. Balance is important in this case, it should not violate the data subject's personal freedoms.
- Vital interests: Data may be processed when situations of life or death arise.
- Legal obligations: Personal data must be processed according to the law.
- Public interests: This mainly has to do with governments and local authorities, such as risks regarding public order and safety and the protection of the public in general.
These are the legal bases that allow you to store and process personal data. Oftentimes, some of these reasons might overlap. That is generally not an issue, as long as you can explain and prove that there is actually a legal basis. When you lack a legal basis for the storage and processing of personal data, you might be in trouble. Keep in mind that the GDPR has the protection of the privacy of individuals in mind, hence the reason there are only limited legal bases. Know and apply these, and you should be safe as an organization or company.
The data the GDPR applies to
The GDPR, at its core, applies to the processing of data that is either fully or at least partially automatic. This entails data processing via a database or computer, for example. But it also applies to personal data that is included in a physical file, such as files stored in an archive. But these files need to be substantial in the sense that the data included is connected to some order, file, or business dealing. If you own a handwritten note with only a name on it, it doesn’t qualify as data under the GDPR. This handwritten note might be from someone who is interested in you or otherwise be of a personal nature, after all. Some common ways data is processed by companies include order management, a customer database, a supplier database, staff administration, and, of course, direct marketing, such as newsletters and direct mailings. The person whose personal data you process is called the "data subject."This can be a customer, newsletter subscriber, employee, or contact person. Data regarding companies is not viewed as personal data, whereas data about sole proprietorships or self-employed persons is.
Rules regarding online marketing
Tips and ways to comply with the GDPR
The most important thing, of course, is that you, as an entrepreneur, comply with legal regulations and rules, such as the GDPR. Fortunately, there are ways to comply with the GDPR with as little effort as possible. As we already discussed, the GDPR in itself doesn’t actually prohibit anything, but it does set strict guidelines for the way in which personal data can be processed. If you don’t adhere to the specific guidelines and use the data for reasons that aren’t mentioned in the GDPR or fall outside its scope, you risk fines and even worse consequences. Next to that, keep in mind that all parties with whom you work will respect you as a business owner when you also respect their data and privacy. This will provide you with a positive and trustworthy image, which is genuinely good for business. We will now discuss some tips that will make compliance with the GDPR an easy and efficient process.
1. Map out which personal data you process in the first place
The first thing to do would be to research which exact data you need and to what end. Which information are you going to collect? How much data do you need to achieve your goals? Just a name and email address, or do you also need extra data such as a physical address and phone number? You also need to create a processing register in which you list which data you keep, where it comes from, and with which parties you share this information. Also take into account the retention periods, because the GDPR states that you must be transparent about this.
2. Make privacy a priority for your business in general
Privacy is a very important topic, and this will stay this way in the (un)foreseeable future, since technology and digitalization are only progressing and increasing. Thus, it is very important that you, as an entrepreneur, inform yourself about all necessary privacy regulations and prioritize this whilst doing business. This will not only ensure that you are compliant with all applicable laws, but it will also build an image of trust for your company. So, as an entrepreneur, immerse yourself in the GDPR rules or otherwise seek advice from legal experts, so you can be sure that you are doing business legally when it comes to privacy. You need to find out which exact rules your company must comply with. The Dutch authorities can also help you on your way with tons of information, tips, and tools to use on a daily basis.
3. Identify the correct legal basis for processing personal data
4. Try to minimize your data usage as much as possible
You, as an organization, must ensure that you collect only the minimum data elements to achieve a certain goal. For example, if you sell goods or services online, your users usually only need to provide you with an email and a password for the registration process to run smoothly. There is no need to ask customers for their gender, place of birth, or even their address as part of the registration process. Only when users continue to purchase an item and want to have it shipped to a certain address does it become necessary to ask for more information. You then have the right to request the user's address at that stage, as this is essential information for any shipping process. Minimizing the amount of data collected minimizes the impact of potential privacy or security-related incidents. Data minimization is a core requirement of the GDPR and extremely effective in protecting your users' privacy since you only process the information you need and nothing more.
5. Know the rights of the people whose data you process
An important part of becoming knowledgeable about the GDPR, is informing yourself about the rights of your customers and other third parties, whose data you store and process. Only by knowing their rights can you protect yourself and avoid fines. It is true that the GDPR has introduced a number of important rights for individuals. Such as the right to inspect their personal data, the right to have data corrected or deleted, and the right to object to the processing of their data. We will discuss these rights briefly below.
- The right of access
The first right of access means that individuals have the right to view and consult the personal data processed about them. If a customer asks for this, you are therefore obliged to provide them with it.
- The right to rectification
Rectification is the same as correction. The right to rectification therefore gives individuals the right to make changes and additions to the personal data that an organization processes about themto ensure that this data is processed correctly.
- The right to be forgotten
The right to be forgotten means exactly what it says: the right to be 'forgotten' when a customer specifically asks for this. An organization is then obliged to delete their personal data. Do note that if there are legal obligations involved, an individual cannot invoke this right.
- The right to restrict processing
This right gives an individual as a data subject the opportunity to restrict the processing of their personal data, which means that they can ask to have fewer data processed. For example, if a company asks for more data than is absolutely necessary for the process involved.
- The right to data portability
This right means that an individual has the right to transfer their personal data to another organization. For example, if someone goes to a competitor or a staff member goes to work for another company, and you transfer data to this company,
- The right to object
The right to object means that an individual has the right to object to the processing of their personal data, for example, when the data is used for marketing purposes. They can exercise this right for specific personal reasons.
- The right not to be subject to automated decision-making
Individuals have the right not to be subject to fully automated decision-making that may have significant consequences for them or cause legal consequences of human intervention. An example of automated processing is a credit rating system that will fully automatically determine whether you are eligible for a loan.
- The right to information
This means that an organization must provide individuals with clear information about the collection and processing of their personal datawhen an individual asks for this. An organization must be able to indicate which data they process and why, according to the GDPR principles.
By familiarizing yourself with these rights, you can better foresee when customers and third parties might inquire about the data you are processing. You will then find it much easier to oblige and send them the information they are requesting, because you were prepared. It can save you a lot of time to always be prepared for inquiries and have the data at hand and ready, for example, by investing in a good customer management system that allows you to pull the necessary data fast and efficiently.
What happens when you do not comply?
We already touched on this subject briefly before: there are consequences when you do not comply with the GDPR. Again, be informed that you don’t need to have a company based in the EU to be required to comply. If you have even one customer that is based in the EU whose data you process, you fall under the scope of the GDPR. There are two levels of fines that can be imposed. The competent data protection authority in each country can issue effective fines at two levels. That level is determined based on the specific violation. Level one fines include violations such as processing personal data of minors without parental consent, failure to report a data breach, and cooperating with a processor that does not provide sufficient guarantees in terms of required data security. These fines can amount to up to 10 million euros or, in the case of a company, up to 2% of your total worldwide annual turnover from the previous financial year.
Level two applies if you commit fundamental offenses. For example, failure to comply with the data processing principles or if an organization cannot demonstrate that the data subject has actually given consent to the data processing. If you fall under the scope of level two fines, you risk a maximum fine of 20 million euros, or up to 4% of your company's global turnover. Do note that these amounts have been maximized and depend on your personal situation and your business’ yearly revenue, amongst other factors. In addition to fines, the national data protection authority may also impose other sanctions. This can range from warnings and reprimands to the temporary (and sometimes even permanent) cessation of data processing. In that case, you may temporarily or permanently no longer process personal data through your organization. For example, because you have repeatedly committed criminal offenses. This will essentially make it impossible for you to do business. Another possible GDPR sanction is the payment of damages to users who file a well-founded complaint. In short, be vigilant about the privacy and personal data of individuals to avoid such hefty consequences.
Do you want to know whether you are GDPR-compliant?
If you are planning on starting a business in the Netherlands, you will have to comply with the GDPR. If you are doing business with Dutch customers, or customers based in any other EU country, you will also have to adhere to this EU regulation. If you don’t know for sure whether you fall under the scope of the GDPR, you can always contact Intercompany Solutions for advice on the subject. We can assist you in finding out if you have applicable internal regulations and processes in place and if the information you provide to third parties is sufficient. Sometimes it can be very easy to overlook important information, that could nonetheless get you in trouble with the law. Remember: privacy is an extremely important topic, so it’s essential that you are always up-to-date regarding the latest regulations and news. If you have any questions about this subject or would like more information about business establishments in the Netherlands, feel free to contact Intercompany Solutions anytime. We will gladly assist you with any query you might have, or offer you a clear quote.