Netherlands - Dutch DPA publishes GDPR guidance

Netherlands - Dutch DPA publishes GDPR guidance's Tags

Tags related to this article

Netherlands - Dutch DPA publishes GDPR guidance

Published 22 junio 2017

The Dutch Personal Data Protection Authority (the Autoriteit Persoonsgegevens the "Regulator") has published a 'Prepared in 10 steps' plan to help organisations get ready for the GDPR (the "Plan"). According to the Regulator the 10 most important steps to take are:

  1. Create awareness – make sure that everyone who needs to know about any changes in the data protection regime is aware of the arrival of the GDPR. Those whose work will be impacted by GDPR need to have time and resources to assess what the implications of the GDPR will be.
  2. Data subject rights – GDPR will broaden the rights of data subjects. Make sure data subjects know what their rights are and how they can exercise these rights.
  3. Records – document the data processing that takes place, its purpose, where the data comes from and with whom the data is shared somtimes referred to as ("data mapping"). Under the GDPR organisations have a duty to keep records of this information. It will also be of use when data subjects seek to exercise their rights.
  4. PIAs – conduct a privacy impact assessment ("PIA") to access the risk of any processing activity. If a PIA shows that the processing will be high risk and these risks cannot be mitigated properly, prior consultation with the Regulator will be necessary.
  5. Privacy by design and privacy by default – the Regulator explains in its plan what these concepts mean and advises organisations to become familiar with the concepts as the GDPR requires them to be incorporated in business processes.
  6. DPO – determine if your organisation needs a Data Protection Officer ("DPO").
  7. Data breach notification duty – the GDPR requires organisations to document any data breaches that have taken place. As under current law, the GDPR requires notification to the Regulator in the event of a data breach.
  8. Processor agreements – assess whether your agreements with data processors are GDPR compliant and if not, amend.
  9. Lead supervisory authority – if your organisation operates in multiple EU countries or your data processing impacts citizens in different EU countries, you will be allowed to deal with one data protection supervisory authority. Determine who your leading supervisory authority is.
  10. Consent – the rules on consent based processing will become more strict. Evaluate the way your organisation obtains and registers consent for data processing. Adjust these processes if necessary.

A copy of the plan can be accessed here.

Key Contacts

Rhiannon Webster

Rhiannon Webster

London - Walbrook

+44 (0)20 7894 6577

< Back to articles