General Data Protection Regulation (GDPR)
On the 25th of May 2018, the Dutch privacy law (Wet bescherming persoonsgegevens) was overhauled by a European privacy regulation, the ‘General Data Protection Regulation’ (GDPR). This regulation will ensure that the same privacy rules apply throughout the entire EU and will entail substantial changes for businesses and industry.
Two of those changes are the requirements of ‘privacy by design’ and ‘privacy by default’. Broadly speaking, this means that privacy must be taken into account throughout the entire process in which products and services are developed. This can be achieved by using techniques such as pseudonymisation and by processing as few personal data as possible, i.e. by processing only the necessary personal data. This requirement of necessity also applies to the accessibility of data (i.e. who has access to which data) and the period for which data are retained. The default settings of a product or service must also be as privacy-friendly as possible. Products and services will therefore have to be developed and designed in such a way as to ensure that they are ‘privacy proof’.
Personal data must be protected adequately, via technical and organisational measures. For example: passwords, encryption, secure (SSL/TLS) network connections and pseudonymisation of data. Technical norms such as the ISO 27001 are not mandatory, but in practice they are the best way to make sure a service provider uses adequate protection. Service providers who are able to provide a statement from an independent auditor offer even more security. The most well-known statements are the ISAE 3402 and the SSAE No. 16. When you exchange data within the iSHARE Trust Framework and you adhere to the iSHARE technical specifications, this means that you comply with GDPR with respect to the technical security measures required for the exchange of personal data.
Although the majority of data shared via the iSHARE Trust Framework may not be personal data, there could be personal data involved. For example, data relating to employees or clients of participating parties. If personal data is shared via the iSHARE Trust Framework, the participating parties will need to have a legal basis to do so. A legal basis can be, for example, consent of the data subjects, or an agreement to which the data subject is a party.
When data is exchanged between two data controllers, both need a legal basis for this. A data exchange agreement then also needs to be concluded. When a data processor processes personal data on behalf of the controller, they are obliged to enter into a data processing agreement. The GDPR explains what such an agreement should contain.
Within the iSHARE Trust Framework, the participating parties are in control with respect to the types and amount of data they like to share and in this respect should also easily facilitate the conclusion of data processing or data sharing agreements. To facilitate participants in their GDPR compliance efforts between themselves, two contract templates can be used: depending on the role of the respective parties, they can either use the Data Processing Agreement or the Data Exchange Agreement as a basis for their contractual arrangements. Before using any of these contract templates, it should first and foremost be assessed whether the personal data can actually be lawfully processed or exchanged.
In certain cases, the GDPR requires that the privacy effects of a project are assessed in advance (a Privacy Impact Assessment). This is the case when the processing of personal data constitutes a high risk for the data subjects. For certain companies, for example, companies which monitor individuals or systematically process sensitive data, it will become mandatory to have a Privacy Officer.
For more information on how GDPR affects you, we provide a GDPR Factsheet.