- 29 January 2021
- Posted by: André Biesheuvel
- Category: Protecting personal data
The purpose of this day is to better inform European citizens about their rights regarding the use of their personal data by governments, companies and other organizations. Companies and organizations are also encouraged to improve the protection of personal data on this day.
The choice for this day lies in the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”, 28 January 1981 of the Council of Europe.
Duthler Associates has been a privacy advocate since its inception in 1998. In essence, it is about people and companies (governments, companies and other organizations) being able to exercise control over their data. Grip on data offers opportunities to control your life and control the continuity of business activities. This is a bit of a problem now because individuals and companies must make good agreements about the processing of personal data in particular. This does not alter the fact that agreements are also required about the use of company data.
Below are a number of tips for individuals and companies.
Tips for people
Governments and companies are increasingly processing personal data. The purpose of the processing is often “to improve” the lives of persons. However, the individual has limited or no control over his or her (his) data. As a result, the individual lacks the freedom to determine for which processing his data may be used and also in which processing the individual can participate. There is a real danger of exclusion and arbitrariness.
How can the individual deal with this situation? We give a few tips:
Tip 1: Information ecosystem
Build up your data set for your own “information eco-system” and keep it up to date. By your own information eco-system we mean the collection of partners (for example friends, employers or healthcare providers) with whom you can make agreements about the processing of your data set
The data set must comply with a number of principles. For example, the data definitions must be generally accepted, you yourself guarantee the reliability of the data and it must be possible to make firm agreements about the processing of personal data.
Tip 2: Offer your own management of (personal) data
Offering reliable data to identified partners under your direction provides you and partners added value.
The added value consists of: more certainty about the reliability and topicality of shared data and being able to stop sharing at any time. More certainty about the reliability of data lowers transaction, compliance and risk costs. In addition, companies have personalized data with which the individuals can be optimally served.
Tip 3: Make agreements about the processing
Make firm agreements with the company about the processing of your data. Closing agreements arise with partners who belong to your information eco-system. You make use of clear agreements with an unambiguous description of rights and obligations, and your partner periodically reports on the effective operation of the management measures taken aimed at protecting personal data as described in the law and agreed in the agreement.
You might think, “isn’t all this heavily rigged?” I do not think so. Freedom is a great good and history shows that we will miss it very much when it is taken away.
In addition, the health sector is working hard to facilitate individual control over his own life; and derived from this your own medical data.
Tips for companies
It takes some getting used to for companies when individuals exercise control over their data and they enter into agreements with individuals about this. It is essential for the continuity of the business activities that the company is compliant with the agreements made. If the company does not comply with the agreements, the individual will after all say ‘goodbye’ to the company.
How can a company deal with this situation? We give a few tips:
Tip 1: Organizing an information eco-system
Build an information eco-system and keep it up to date. The information eco-system of a company can, for example, consist of employees, suppliers and customers. The company makes agreements with the participants in the eco-system about the processing of (personal) data.
The company presents itself with reliable and up-to-date company data to its partners. The company can consist of a holding company with entities, which in turn are made up of organizational units. Business units may ask suppliers to update data and will agree that these companies will take appropriate control measures to effectively protect personal data.
The overview and insight into these relationships, as well as the effectiveness of the control measures, are an important source of compliance with the company’s own accountability as referred to in legislation and agreements entered into.
Tip 2: The importance of reliable (company) data
Offering reliable business data to identified partners provides the company and partners added value.
The added value consists of: more certainty about the reliability and topicality of shared data. In addition, the company can stop sharing at any time. More certainty about the reliability of data lowers transaction, compliance and risk costs. In addition, companies have personalized data with which the individuals can be optimally served.
Tip 3: Make conclusive agreements with partners
Make conclusive agreements with partners about the processing of personal and company data.
Closing agreements arise with partners who belong to the information eco-system. Make use of clear agreements with an unambiguous description of rights and obligations, and ensure that you are periodically accountable for the effective operation of the management measures taken aimed at protecting the personal data as described in the law and agreed in the agreement.
The legislator expects a company that control measures aimed at protecting personal data are adequate and effective. The nature and scope of the measures result from the law, contractual obligations and policy. We can expect companies to account for the effectiveness of the control measures for 2020 and that a compliance annual plan for 2021 has been established by management.
The necessary Data Protection Impact Assessment (DPIA) will be planned in the 2021 compliance plan. Performing a DPIA is not the completion of a checklist as we unfortunately often see. Carrying out a DPIA is a skill. It is therefore wise to call in or train a well-trained professional for this. A DPIA is not a one-off risk analysis but is kept during the life cycle of the processing of personal data.
As an organization, ensure that the data protection officer or privacy officer has the latest knowledge and expertise.
And last but not least
Only the perspective of the tips for individuals and companies differs. People want control over their lives; companies want control over their business activities. If the parties can make conclusive agreements about the processing of personal data, both goals can be achieved.
Contact us for questions or an appointment via firstname.lastname@example.org or +31 0 (70) 392 22 09.