GDPR from CleanJack
As of May 2018, the GDPR will be enforced in Europe. On this page you will find how this affects your organization and how our software makes you ready to comply with the GDPR.
About the GDPR
Privacy is increasingly important in today’s information technology era. We want to know what happens to our data and want to prevent this data from ending up on the street.
The EU has a privacy law: the General Data Protection Regulation (GDPR). In the Netherlands and Belgium, this law is known as the General Data Protection Regulation (GDPR). This law has been introduced to give us the confidence that everything is being done to ensure that our data is not simply used for processes of which we have no knowledge or of which we do not want it to end up on the street.
This law – which already came into effect in 2016 – will be enforced from May 25, 2018. This means that when you collect personal data, you must comply with the rules of the GDPR.
We are happy to tell you where CleanJack can help you comply with this law. If you do not comply with the rules, fines can amount to as much as four percent of the annual turnover.
The GDPR and CleanJack
To explain the consequences of this law in an understandable way, we have divided it into two parts: People and Technology.
This concerns, for example, a user of the software, an employee of an organization or a contact recorded in the CRM system. For CleanJack, the 3 most important pillars of the Act in this area are:
- Transparency: Companies must inform citizens in an understandable way about how the data is collected and processed
- Right to be forgotten: Companies must be able to erase personal data if the person in question requests it and if no valid counterargument can be given
- Notification obligation in case of data leaks: Companies are obliged to report a data leak within 72 hours, unless you can demonstrate that the leak does not endanger the personal data collected.
Personal data refers to all information that can be used to identify a citizen: name, telephone number, address, email address, photos, and more. Are you wondering whether the GDPR applies to your organization? It’s very simple: if you work with one of the above data, AVG/GDPR also applies to your organization.
Individuals are given the right to correct their data or have it deleted. Furthermore, each person must give specific, freely determined and unambiguous consent, with full knowledge of the facts. In other words: for every form or newsletter permission, you as a company must specifically explain what will happen to the personal data provided. This often means that you have to adapt your business operations accordingly.
In the field of our software, the GDPR is taken into account on the following legislative points.
Right to be forgotten
The ‘right to be forgotten’ can easily be implemented to block the data in question from use, delete it or make it unrecognizable. Within CleanJack there are various options for:
- Block before use. It is possible to block data that is no longer in use. The use (or misuse) of data can therefore be prevented.
- Deleting personal data (person, organization, employee, etc.) is also possible, but remember that ‘deletion’ is really deletion. Once deleted, data cannot be recovered
- Data is sent anonymously.
The legislation pays a lot of attention to this and this has everything to do with being able to export personal data so that it can be used again in other situations. The current options in our software are sufficient to comply with legislation.
Use of data
The use of the various personal data must be in accordance with the purpose for which this data is used. For example, a manager who assesses an employee’s leave does not necessarily need to see the employee’s BSN number.
Overview of where personal data is used
The software shows in one overview where this personal data is used.
Important pillars of the GDPR
Wat moet u doen en wat doet CleanJack?
1. Make an overview of the processing operations
Provide insight into how and which personal data your organization processes. It must be clear which personal data is used, for what purpose, where it is stored and who has access to that data. Make a Privacy Impact Assessment (PIA). This is often available through your own trade association. According to the GDPR, organizations are obliged to identify the risks of data processing in advance.
In CleanJack you can see which field is a person field. You also have the option to see where this data is used.
2. Take privacy by design & privacy by default into account
Privacy by design means that you take the protection of privacy-sensitive information into account when designing (new) products and services.
Privacy by default means that you only process those personal data that are necessary for the specific purpose.
As an organization, you always remain responsible for who, where and what data is allowed to be processed.
When developing (new) functions, CleanJack already takes privacy into account as standard. Since data is only stored once in the database and we only manage the rights in one way, privacy by design is guaranteed.
3. Comply with the Data Leak Reporting Obligation
We increasingly read that hackers have captured personal data and made it available somewhere to benefit from it. But also keep in mind that you can ‘just’ lose a laptop without intention. These are serious business risks. In all circumstances, you must inform those involved about the data breach. Moreover, you should do everything you can to prevent this.
What are the risks for your organization? Review the procedures for documenting and reporting data breaches. In the GDPR, the obligation to report data leaks is expanded with the obligation to document all data leaks, so that this can be assessed by the Dutch Data Protection Authority.
CleanJack supports you in preventing a data breach and helps you register it. We provide a standard workflow ‘Data breach notification’.
4. How do you request and register permission?
The new legislation sets stricter requirements for the consent that people must give for data processing. Evaluate the way you ask people for permission to process their personal data, but also how you register it. You must be able to demonstrate that valid consent has been received from people.
You enter into a processing agreement with parties that process personal data on your behalf. We would be happy to send you an example.