Your email address, health statement or salary details are personal data that you would rather keep to yourself. But sometimes you have to share this information, for example to open a bank account or apply for a mortgage.
The General Data Protection Regulation the GDPR, was put in place to ensure that you maintain control of your privacy. With this regulation, the European Union wants to centralise policy, provide better protection for its citizens and stimulate more innovation concerning personal data.
The GDPR succeeds the 1995 European Data Protection Directive. This legislation is outdated as it does not take enough account of modern developments such as Social Media, Cloud Storage or Cyber Crime.
The GDPR is focused on broader protection for EU citizens. Organisations must now inform their customers proactively and on request about how their personal data is collected and processed. It must be possible to transfer the data easily to another service provider or to delete the data in its entirety if the privacy of the person in question outweighs the interests of the user. Even where the data is shared with third parties. Also, in most cases it is mandatory to report a data leak within 72 hours. This has been the case in the Netherlands since 2016.
Organisations that use personal data on a large scale, and with special risks, are required to have a Data Protection Officer. The primary task of the Officer is to safeguard the privacy of prospects, customers and employees. For example by coordinating and updating processing records. And by encouraging transparency concerning data use.
A first step toward preventing damage, loss or violation of personal data is to have good technical and organisational security. For example making regular back-ups and using encryption to prevent access by others or to limit such access. If despite this a leak does occur, it must be identified and reported quickly. This limits and prevents damage to the person(s) involved, and loss of reputation and fines for the organisations in question which can amount to 4% of the total turnover.
The priority is to minimize data storage. Organisations may only use personal data for a specific, previously defined purpose, and solely undertaken under one of the six legal grounds for processing. If this is not the case and the retention period has expired, the personal details must be removed immediately.
If an agreement is being terminated, the service provider must remove the data at the end of the retention period and demonstrate that this has taken place by keeping records which can be examined on demand.
Sharing personal data is associated with a certain greater or smaller degree of risk. Our tip: be aware of what data you are sharing, why and with whom.