Meer nieuws lezen?
Since 25 May 2018, the General Data Protection Regulation (GDPR) has applied across the entire European Union. Under this law, customers and staff have more control over their data. Companies have more obligations when processing personal data due to the tightening of privacy rules. If you do not comply with the GDPR, the Dutch Data Protection Authority can impose a fine. This blog contains the checklist you can use to make sure you comply with the GDPR.
The first step to ensure you comply with GDPR legislation is to check whether the personal data may be stored and processed. There are six legal bases under which you may process personal data. You decide for yourself which of these six applies. One of the legal bases is asking the individuals themselves for consent. This is the most common legal basis.
It must be clear to customers, staff and visitors which data is being stored. Write a privacy statement they can read so they know exactly what they are agreeing to or declining. Your privacy statement must clearly state which personal data you retain, how long you retain it, why you retain the data, where the personal data is stored and with whom it is shared. It is most convenient to place your privacy statement in the footer of your website. It needs to be easy to find, and this way your privacy statement is accessible from every page of your website.
Data minimisation is an important point under the GDPR. No more personal data may be used when collecting and processing than is necessary. Only the data that is genuinely needed to achieve the purpose may be used. For example, it is not necessary to ask for both an email address and a phone number. If you may collect and process one of those data points, that is enough to get in touch.
Customers or visitors must be able to unsubscribe from emails. That is why it is important that you, as a company, add a link to your emails. This link allows customers or visitors to opt out of emails. With HubSpot this is easy to add to messages.
A processing register is almost always mandatory for an organisation. You must be able to produce it whenever the Dutch Data Protection Authority requests it. The register of processing activities must include the following information:
Need help making your company GDPR compliant, or want more information? We are happy to help! Feel free to contact us.