GDPR (part 4 of 5): Finishing touches
It is highly unlikely that the renewed privacy terms and conditions notifications have escaped you in the last few weeks when using the services and products of organisations such as Facebook, Google, Apple or Windows. All organizations and companies that operate or offer services within the European Union are obliged to comply with the obligations of the GDPR. The GDPR is therefore much larger than the mere changes within the university.
The current national privacy act (Wet bescherming persoonsgegevens) will expire next week Friday the 25th of May, from which at that point the GDPR will come into force. With just over a week left, it is high time for a recap and the finishing touches to the preparations.
Making an inventory and dataminimization
The GDPR has been extensively discussed in the previous sections. Data minimization has emerged as one of the most important underlying philosophies of the GDPR. Until recently, it was very common to collect as much data as possible for a relatively simple process under the guise of 'Information is power'. On the other hand, the GDPR is introduced in a time where people have never before voluntarily shard so much of their personal data digitally as they do today. Despite this paradox, the GDPR is nevertheless a necessary and valuable addition to ensure the legitimate use of personal data and to prevent abuse.
It is therefore important to delete unnecessary and unnecessary personal data and to limit them in the future. Restricting access for unauthorized users is also important. For example, by creating a closed Sharepoint work environment or encrypting files with a password, you limit the chance that unauthorized persons can access the data.
Do’s, don’ts and alternatives
In the second week, we discussed which 'quick wins' could be gained with the GDPR by adjusting current daily work methods. For example, simple routines such as locking your PC when you leave your workplace (with the shortcut combination: WINDOWS + L), keeping your desk tidy and using BCC receivers when sending e-mails to more than one person can contribute to a safe handling of personal data.
The use of services and software programs with which the university has not formalized a data processing agreement with their makers and/or developers was also discussed. In the event that a data processing agreement is absent, the processing of personal data by these systems is not legitimate. In most cases, alternatives are often available, such as the services that are provided by SURF. If there are services of which you are not sure whether the university has a processing agreement with it or if alternatives are not available, you can indicate this to the information manager of the faculty (Mark van Leeuwen).
Principles for processing and consent
Finally, the principles for processing personal data were discussed and obtaining consent. All processing operations must be based on any of these six principles. When obtaining consent, it is required to inform the person involved in a clear, unambiguous and easily written language. In addition to explicitly request consent (rather than passive), this must also be saved and be able to be demonstrated when requested by either the person involved or the auditing authorities.
On this note, the most important aspects of the GDPR have now been discussed. It will soon be, as of the 25th of May, the task to also implement these aspects in practice. The university has provided a lot of information available on her website. In addition, information workshops have been organized in the coming days in which general information will be provided about the GDPR and the possibility will be given to ask questions. An invitation for these workshops has already been sent by mail to everyone.
The final part of this series will be about your own personal privacy in relation to the university and other organizations. Since the GDPR also applies to you as an individual, it offers you various rights in which, by whom and for what purposes your personal data are being processed.