According to the GDPR, organizations are obliged to take technical and organizational measures to protect personal data against, for example, loss or unlawful use. In addition, 2 obligations have been introduced in the GDPR: privacy by design and privacy by default.
Privacy by design means that when designing its products and services, the organization ensures that personal data is properly protected and that as little data as possible is processed. The latter means only those data that are necessary for the purpose of the processing.
Privacy by default means that the organization must take technical and organizational measures to ensure that it only processes personal data in the standard privacy setting (of websites, apps, electronic forms, etc.) that are necessary for the specific purpose that it wants to achieve. Below are two examples:
- If you offer an online forum, the most privacy-friendly setting should be the default. This is, for example, the setting where the forum member is anonymous, so that other forum members cannot see who posts the messages. The forum member must then (consciously) choose to make his or her personal data public Derecho al olvido ley españa.
- If someone wants to sign up for an activity or the newsletter, or wants to donate money, you may not ask for more information than is necessary for the implementation of the registration or the donation.
TO DO
Map out for each processing which technical measures you can take to process as little personal data as possible. See whether personal data can be destroyed, anonymized or encrypted or should be better protected. Implement the measures.
Check per processing whether you only ask for data that is really necessary for the specific purpose in the standard privacy setting (of, for example, your website, web applications or forms). Delete the fields for the unnecessary data.
The GDPR obliges you to report data breaches. All data breaches must be documented in a register. With this documentation, the Dutch Data Protection Authority must be able to check whether the reporting obligation has been complied with.
There is a data breach if a security incident has occurred, in which personal data has been lost and/or where the unlawful use thereof cannot be ruled out. Examples include: loss of a USB stick, theft of a laptop, burglary by a hacker.
The data breach must be reported immediately, within 72 hours, to the Personal Data Authority, unless it is unlikely that the data breach will lead to a high risk for the rights and freedoms of the data subjects. It is important here what kind of personal data has been leaked. If special personal data, such as health data, have been leaked, notification is usually necessary.
If the data breach is likely to cause a major risk to the rights and freedoms of the data subjects, the data breach must also be reported to the data subject.