What is GDPR under EU, and why should you care?

General Data Protection (GDPR) is the most important and game changing regulation which will fundamentally shape the way consumers’ data will be handled by businesses responsibly.

Consumers and producers today are more aware than before today about the data privacy regarding the data they share online. With increasing privacy breaches like that of the Facebook privacy breach in 2018 businesess today could land in deep trouble according to the new laws under the General Data Protection Regulation (GDPR). Find out more about Facebook data privacy breach that led to a massive fine to Facebook and doubt in 50 million users about the potential data theft by the hackers.

With that said, today the General Data Protection (GDPR) is the most important and game changing regulation which will fundamentally shape the way consumers’ data will be handled by businesses responsibly. After four years of debilitation and proposals, the GDPR privacy was finally approved by the EU Parliament on 14 April 2016. It was officially enforced in May 2018 – and organization which are not yet compliant with GDPR could face heavy fines up to a whopping 20 million euros!  

A flurry of data breaches made it necessary for the Data Protection Directive 95/46/EC to be replaced with better rules including:

  • Making the organizations use the consumer data privacy more responsibly
  • Harmonizing the data privacy laws all across the Europe
  • Protecting and empowering all the EU citizens and giving them more confidence with sharing their data with businesess

Remarkably, many companies have already included and updated their data protection rules in accordance with the GDPR. Those companies which haven’t already complied will not only have to face heavy fines but they are also losing credibility among the consumers as more consumers now are aware of their right to data protection under GDPR.

Transparency in privacy policies and data sharing will no longer be optional but a required compliance. Therefore, it is important that your business clearly states it out precisely and concisely to the consumers how you are going to use, collect and process their data. That being said, sensitive data such as credit card information, bank account numbers, telephone numbers and addresses all come under the GDPR. Good news, making organizational changes to support the new GDPR policies for your consumers doesn’t have to be that hard! Miss legal is your go to legal best friend in writing out your policies and guiding you through them. We have already written out several privacy statements for various organizations.

 

Whom does the GDPR apply to?

The GDPR applies to any for profit business that starts or needs to collect data such as a BSN number, telephone number, bank details, photos, religious preference, data about a person’s health and any such data that comes under personal data. For instance, your company provides a car insurance. Provided you would be liable to take the data such as their bank account details for insurance payments, their address for sending newsletters or invoices, and maybe also their health history to know whether they have any kind of physical or mental disability that could interfere with the service you are providing. Hence, you would automatically become the controller and therefore responsible to be compliant under the GDPR.

 

How does GDPR apply to you as a blogger/vlogger?

The new era of maintaining privacy regulations is just here and we are responsible to be compliant. It demands an approach that enables data protection and safety by default. As a blogger or vlogger you would want to generate as much traffic as possible to your website so it increases the visitors and readers to your website or channel. This ensures that your customers are enough to make many producers and investors partner their ads with your website with your customers as their products audience. For this purpose you may be using many approaches that may or may not be compliant under the GDPR. Take a deep breath as Miss Legals have compiled their best tips and solutions to most of your queries.

Firstly, your goal is to generate as much traffic to your website as possible. You do this by generating content and organic interaction with your customers. Your website and social media channels are your most important tools for this. It is also important for you to know what type of customers are visiting your website, what are their preferences so you may better be able to customize your advertisements.

 

Website owners

The most important thing for your website is then your privacy statement. Your privacy statement must be written tailored to your business motives and clearly under the GDPR standards. This is mandatory to write your privacy statement in a concise and precise non-legal language. If and eighth grader cannot understand what your privacy statement states then you need to take a better look at it again. You need to indicate, among other things, which data you process, for which purpose you use the data, storage periods, that the customer has the right to access, modify and delete his data, that the customer has the right to easily access his data. to be able to take with them and pass them on (to another organization (data portability), that the customer has the right to submit a complaint to the Dutch Data Protection Authority. Miss Legal has already made a privacy statement for many entrepreneurs. 2018 safe entrepreneur with a privacy statement that is tailored to your website and company? For the fixed price of € 225.00 ex VAT, you can order it directly here. In addition to updating your Privacy Statement you also need to submit the following items. address: do not use a'no-reply e-mail address' anymore, provide an SSL security certificate, use a cookie wall (or make sure you do not place tracking cookies) .

Secondly, it may be that you are not directly asking data from your customers but have hired a person for the task, such as an accountant managing all the nitty gritty details regarding payments and finances of your company. In that case, you need to have a contract established between you and the accountant. Read on to know more about what Miss Legal has to say about contracts with data processors.

 

Contracts with data processors

Contrato de contratistas El contrato de procesador is a document that regulates the relationships between you and the person who receives your personal data. Think for example your accountant or website administrator. You often see that larger parties themselves have drawn up such an agreement (note: often the larger parties try to impose more liability on you than reasonable). However, as a controller you must ensure that with each party that receives personal data from you, you determine exactly what will happen to that data. You should ensure that the following points are included: which security measures are taken, whether sub-processors may be involved, who is liable in which situation, where is the data stored, what happens to the personal data when the contract is concluded or terminated. It is very important that a processor agreement represents your interests well. We therefore strongly advise you not to pick one from the internet. Chances are that it is written especially for a particular organization and therefore not especially for you, so you are still not covered in accordance with the new regulations. We at Miss Legal can draw up a clear, tailor-made, processor agreement for you, which you can use for multiple processors for the fixed price of € 385.00 ex VAT. You can order this directly here.

Thirdly, you may be thinking that you are perhaps a small entrepreneur not mandatory to be a compliant under the GDPR. But you may still be collecting some kind of data to run your small business. Such as a home address if you have a webshop to be able to deliver the products to your customers. Miss Legals have compiled a simple set of tips and services for you below regarding the registration of processing activities in that case.

 

Internal Organization

The register of processing activities is an active document in which the processing activities of the organization are maintained. You should ensure that the following items are included: the name and contact details of the controller, what the processing objectives are, for example sending a newsletter or keeping a financial administration, what data is collected, for example contact details, name and address details or payment details, to whom the data are provided, storage periods, how the data are protected. You can easily set it up yourself in Excel for example. Basic data usage Make sure you have a basis for every purpose for which you use personal data. The GDPR provides 6 foundations, but for most purposes you must either request permission or use the 'implementation of the agreement' basis. Requesting the basis permission will speak for itself. You can, for example, request this permission via an opt-in. Or via a consent form. The basis for the execution of the agreement is, for example, when someone orders a product from you and you must deliver this product. You naturally need at least the name and address of that person. In order to use this data, you do not need separate permission. If you were not allowed to use this information (for that specific purpose!), You can not execute the agreement. PLEASE NOTE: if you also want to send this person a newsletter, you have to ask permission again. Sending a newsletter serves another purpose!

Lastly, with the package of new laws under the European Union under the GDPR you may as well not understand everything that is listed there, or may be operating on old terms of laws of data protection. It may also happen that you are unintentionally making a data breach leading to the compromise of your customer’s data. With new technologies and interconnected web that stores passwords, bank accounts information and much more, it may also happen that your website has simple been attacked by hackers looking to theft of data. Whatever your case, data breach is a serious crime that could land you in trouble for not being compliant under the GDPR. Do not worry, take a deep breath, analyze your readiness to obtain and understand information and contact for legal assistance for Miss Legal.

 

Data breach procedure

 A data breach occurs when access to or destruction, modification or release of personal data is done by an organization without this being the intention of this organization. To prepare for a possible data breach, you must record in a written procedure how you will deal with a data breach. There are no formal requirements for this procedure. Just like the register of processing activities, you can easily set it up yourself. Consideration clauses via the agreement with your employees, partners and / or volunteers, you must ensure that they also comply with the GDPR. There is a confidentiality clause in most employment contracts. But keep it critically up to the light. Does it still comply? In short, think yourself in time with the aforementioned documents.

 If you have any questions, please contact us!

 

About Miss Legal

Miss Legal is an international organization consisting of lawyers, lawyers, tax specialists and private investigators. We are active in several countries and speak several languages. Through our sister Bizzy Beezz Agency, we help entrepreneurs with entrepreneurship. Ask your question to Miss Legal so that we not only help you, but you (anonymously) elaborate on our blogs. In this way you also help others to get answers to their legal questions!

 

Share this page

Advies nodig over dit onderwerp?

Boek een sessie met Miss Legal

Ask Miss Legal a private question

Comment on this article

You need to be registered or logged in