What is the GDPR (AVG)?

The General Data Protection Regulation (GDPR), or AVG in the Netherlands, is a unified European Union privacy law enacted on May 25, 2018, designed to protect digital personal data and give individuals more control over their information.

What exactly counts as personal data?

Personal data is any information that directly or indirectly identifies a person. This includes obvious details like names, addresses, and phone numbers, as well as digital footprints like IP addresses and search histories.

What are special category personal data?

These are highly sensitive details that receive extra protection under the GDPR, such as race, ethnic origin, political or religious beliefs, health information, genetic and biometric data, and sexual orientation. Processing this data is generally prohibited without a statutory exception.

What are the 6 core principles of the GDPR?

When processing personal data, organizations must adhere to six rules: Lawfulness, fairness, and transparency Purpose limitation (only use it for the reason you collected it) Data minimisation (only collect what you strictly need) Accuracy (keep data correct and up-to-date) Storage limitation (delete it when no longer needed) Integrity and confidentiality (secure it against leaks)

General Data Protection Regulation (GDPR)

The Algemene verordening gegevensbescherming (AVG) is the Dutch term for the General Data Protection Regulation (GDPR). This GDPR has been in force across the entire European Union (EU) since 25 May 2018. The GDPR replaces outdated national privacy laws, so we now have a Europe-wide law that is also better prepared for ongoing digitalisation.

This article explains more about the GDPR. First we outline what the GDPR stipulates and why it was created. We then describe the 6 core principles of the GDPR, who the regulation is intended for, and how you can better manage and protect personal data.

The GDPR gives organisations greater responsibilities and obligations when processing personal data. At the same time, the regulation grants more rights to the individuals whose data are collected. Processing personal data can cover a wide range of activities. It is not only about what an organisation does in-house with the collected personal data. There are also strict rules for forwarding, distributing, making available, and combining data. To enforce those rules, national privacy regulators have more powers under the new regulation to enforce compliance and, for example, impose fines in cases of violations or data breaches. In the Netherlands, the Autoriteit Persoonsgegevens enforces the GDPR.

Laws governing the handling of personal data already existed, but they were quite outdated and not uniform within Europe. The 1995 Data Protection Directive was only an EU directive that each country transposed into its own local privacy laws. In the Netherlands we used the Wet bescherming persoonsgegevens until 2018. Each European country therefore had different laws, which made international business and collaboration, as well as enforcement, increasingly difficult. If you operate in multiple countries but each country has different rules for the use of personal data, it becomes unworkable.

The GDPR resolved this and ensures that in every EU country you have the same obligations and protections. You must remain cautious once you go outside the EU. EU privacy laws generally apply to the data of European citizens even outside the EU. However, because the EU is quite advanced internationally in the field of privacy legislation, you should not assume that your data will always be handled according to the rules in the rest of the world. For example, at Chinese platform TikTok there appears to be less concern about our privacy guidelines.

Another driver for the GDPR is rapid digitalisation. When the predecessors of the GDPR came into force in 1995, the internet was still in its infancy. In 1994, Prime Minister Kok had no idea how to "operate a computer and online we went little further than emailing, reading news, and looking up information. The privacy laws already determined from whom we could collect which data, but it was less clear what you were then allowed to do with them. As an individual citizen, you had little control over that data.

What exactly are personal data?

Under the GDPR, personal data are any data that directly or indirectly say something about you. These include common details such as your name, address, town or city, and telephone numbers, as well as photos in which you appear, your Google search history, and your match results at the tennis club. Some personal data directly concern you as a person. Other data do not directly describe you, but are still attributable to you and, in combination with other data, say something about you as a person. For example, using the IP address of your smartphone, online data can be linked to your device and all associated data.

For all personal data, the GDPR determines what may and may not be done with those data. In addition to the above ‘standard’ personal data, the GDPR distinguishes other categories for which special rules apply: special category personal data and data relating to criminal convictions and offences.

Special category personal data
Special category personal data are data that are particularly privacy-sensitive. The impact is significant if such data end up in the wrong hands, which is why they receive extra protection under the GDPR. You should assume that you are not permitted to process such data unless a statutory exception applies.

Examples of such special category personal data include data revealing a person’s race or ethnic origin, or their political, religious, or philosophical beliefs. Genetic data, biometric data, information about your health, sexual behaviour, or sexual orientation are also special category personal data. Trade union membership is included as well.

Criminal convictions and offences data
Criminal convictions and offences data include, among other things, criminal convictions and criminal offences, including reasonable suspicions. Certain public authorities, particularly within the Ministry of Justice and Security, may process these data within strict legal frameworks. Otherwise, these data may not be used anywhere else.

In addition to the categories mentioned, the term sensitive personal data is also often used. These are in fact regular personal data that are particularly sensitive if they are improperly disclosed, for example in a data breach. This includes your financial data, your location, your citizen service number (BSN), and all electronic communications (email, messages, etc.). There are no extra rules for these under the GDPR, but given their sensitivity it is advisable to handle them with extra care.

The GDPR introduces far stricter rules on which data may be collected and for what purpose. We must also inform the data subjects far better and in many cases ask for consent. As a citizen, you can also withdraw consent. You also have the right to be forgotten. Thanks to that right to be forgotten, or right to erasure, you may require that data which are not legally required to be retained are deleted from systems. The GDPR as a whole comprises a substantial body of 99 articles, but the essence can be found in the six principles in Article 5:

Lawfulness, fairness and transparency
Organisations may process personal data only where there is a lawful basis. There are several legal bases which we outline in the next section. Organisations must also handle data in a fair and transparent manner. For example, they must inform the data subject clearly which data they collect and what they do with them.

Purpose limitation
Personal data must also be collected for a clearly defined purpose. That purpose may not be silently changed and you may not simply start using the data for other things. If you ask someone for their address to deliver an order, you may not simply use that same address to send advertising brochures.

Data minimisation
If there is a specific purpose for collecting data, you may collect only the data necessary for that purpose. It is logical that an online shoe retailer asks for shoe size to serve the customer. However, income, sexual preferences, and family composition are not needed for that.

Accuracy
If an organisation collects personal data, it must process those data accurately and make sufficient effort to keep all data correct.

Storage limitation
This is also known as the retention limitation. You may not simply retain collected data indefinitely. You may store data only as long as necessary for the agreed purpose. After an agreed period, the shoe retailer must delete your data. It is complex because similar data may have different retention periods depending on the purpose. A CV of a rejected candidate must be deleted swiftly. If someone gets the job, you may of course retain the CV for longer. Storage limitation means people must familiarise themselves with, for example, archiving laws and consider the automatic storage of their data.

Integrity and confidentiality
The above principles concern what you may do with data and why. During the processing of personal data, multiple systems are often used. Organisations must implement technical and organisational measures to secure personal data properly against unauthorised access and unlawful processing. This is not only about preventing an external hack. You must also ensure that employees have access only to the data they genuinely need to do their jobs.

Beyond the core principles, it is important not only to comply with the GDPR but also to be able to demonstrate compliance through your measures when requested. This is known as accountability. The burden of proof lies with you as an organisation.

Each time we use someone’s personal data, it is in effect an intrusion into their privacy. The reality is that we must do so because otherwise very little would function. From the shoe retailer to your bank, your children’s school, and the local authority, everyone regularly requires personal data to perform their work. The GDPR therefore describes precisely why you may request and process certain data. These are called the legal bases. Every use of personal data must have a legal basis and that basis must be recorded clearly. There are six legal bases, outlined briefly below:

Consent
In some cases, data may be used without consent. If you exceed the speed limit, you receive a fine at home and the CJIB will not first ask whether they may use your address data. Below you will find several other legal bases under which your data may therefore be used without explicit consent. However, in many cases a person must first give consent. This ranges from a website that wants to use your data for a newsletter to a sports club that wants to publish a membership list. The GDPR sets strict requirements. It must be voluntary and it must be unambiguous which data are collected. A person must also know who is collecting the data and for what purpose. In addition, you must always be able to check what consent you have given, which data have already been collected, and you may withdraw consent at any time.

Under a contract
Sometimes specific data are needed to perform an agreement properly. If you buy a new TV, it must be delivered to the correct address. Depending on the payment method, an IBAN may also be required. You may collect those data, although being transparent helps here as well. As soon as you collect more data than are strictly necessary to perform your work, explicit consent is required again. You may not, for example, also note family composition at delivery of the TV for targeting your advertising campaigns.

Legal obligation
Sometimes organisations may collect data simply because it is required by law. The tax authority requires various personal and financial data for your tax assessment and benefits. They do not need to ask you separately and refusal is not really an option. The same applies to the speeding fine example.

Vital interests
Sometimes data are critical even though a person cannot give consent. For example, when someone has an accident and ends up in hospital. Even if the victim is unresponsive, doctors must be able to examine the person immediately without consent. Necessity prevails in that case.

Public task or official authority
For various statutory tasks of public authorities, it may be necessary to collect data. A well-known example is a municipality using CCTV for public safety in an entertainment district. They do not need to ask everyone individually for consent.

Legitimate interests
The final legal basis is legitimate interests. You may rely on this as an organisation when you need information for your day-to-day operations. For example, you need data about your staff for your HR administration. You may collect such data, but you must always weigh carefully whether particular data are truly necessary.

Personal use is permitted
Sometimes it seems as if nothing is allowed anymore. People who deal with the GDPR in their work also wonder what they are still allowed to do privately. At home and with friends, you can of course use personal data. The birthday calendar in the toilet can stay. However, if the group of friends grows and effectively becomes a club, then the GDPR applies again. If your security camera records the public street, it also falls within the scope of the GDPR.

Protection and management of personal data

Where should an organisation start to comply with the GDPR? This checklist links to the Regelhulp AVG, which allows you to check in 10 steps, quickly and easily, how your organisation is doing on privacy:

Step 1: your data processing activities
First, you are asked which types of personal data your organisation processes. Are they only ‘regular’ personal data or also special category personal data or, albeit rarely, criminal convictions and offences data? Depending on the data you select, additional privacy rules may apply.

Step 2: the GDPR legal bases
You must also be able to indicate clearly which legal bases you use to collect data. For example, consent, a contract, or a legal obligation. Depending on the legal basis, there are points to consider. For example, how did you ask for someone’s consent and is that information recorded somewhere?

Step 3: Data Protection Officer (DPO)
Do you work in a public sector organisation? Or does your organisation collect data on a large scale at events, for example? You may need to appoint a Data Protection Officer (DPO). The DPO ensures within the organisation that everyone complies with the GDPR. For most SMEs that process only ‘regular’ personal data, this is not normally necessary.

Step 4: data protection impact assessment (DPIA)
A data protection impact assessment (DPIA) is an analysis used to determine in advance the risks that the processing of personal data poses to the individuals concerned. For many medium-sized organisations that process regular data, this will not be necessary. It is necessary, for example, if you work with vulnerable individuals, process bulk data, deploy new technology (such as biometric systems), or make automated decisions based on personal data. If a bank automatically grants or rejects loans using algorithms and personal data, a DPIA must be conducted.

Step 5: privacy by design and default
For this check you must critically assess your systems and processes. In particular, verify whether your IT systems and procedures are designed so that you can always store and process personal data securely (privacy by design). Also check whether systems are configured by default so that data are not readily available to everyone (privacy by default). No matter how well a system seems designed, there is no ‘privacy by default’ if every user receives an account with a default password and immediate access to all data.

Step 6: record of processing activities
A record of processing activities provides an overview of all types of personal data processed within the organisation. Unless you are a very small organisation that only collects data occasionally, you should maintain such a record. It is also useful because you must have that information readily available in any case.

Step 7: security
Regardless of what you are allowed to do with data, data must always be properly secured. This is a challenge, knowing that people’s data typically end up in hundreds to thousands of files. In this step you are asked to verify whether that security is in order. This goes beyond the ‘privacy by design and default’ above. It concerns the entire operation, not only technical systems but also processes. The biggest security risk is usually human. A strong password is excellent, but if that password is stuck to the monitor on a sticky note, there is work to do.

Step 8: data processing agreements
The Regelhulp is intended for so-called controllers. These are all companies, public authorities, foundations, and also sole traders who process personal data, or who have data processed by another party, a so-called processor. For example, a marketing agency to which you send customer data to organise a campaign. You as the client remain responsible at all times.

For example, NS had to send a notice last year to 780,000 customers that their data had been leaked by their advertising agency. Nobody wants to be responsible for such a data breach, which is why you must always conclude a data processing agreement with your processor(s). In it you record mutual arrangements and responsibilities. For example, you make firm agreements about security.

Step 9: information obligation
Depending on which data you collect and under which legal basis, you must inform the individuals concerned. For example, in the form of a privacy notice.

Step 10: privacy rights
The final step concerns ensuring not only that everything is arranged to process someone’s data, but also that people always retain control over their own information. Individuals may request which data you have stored about them. They may also withdraw their consent or request deletion of the data. You must have technical measures and processes in place for this before you start processing.

How can a well-implemented IAM solution contribute to compliance with the General Data Protection Regulation (GDPR)? The first five of the previously mentioned ‘GDPR principles’ focus mainly on what you may do with personal data and your obligations during processing. An IAM platform manages user accounts and access rights and therefore also processes data itself, such as names, email addresses, and sometimes telephone numbers or dates of birth. All the core principles apply to an IAM platform itself, but with principle 6 the IAM platform plays an additional key role within an organisation:

The processing of personal data must be appropriately secured. For special category personal data, such as information about a person’s health, extra strict rules apply.

The security of personal data and the applications that process them must therefore be optimal. The GDPR does not prescribe a standard approach for this. The principle is that you must take ‘appropriate technical and organisational measures’. What that means in your case depends on your specific processing of personal data and the identified risks. The Dutch Data Protection Authority (AP) emphasises the specific importance of digital access security. It also provides several concrete recommendations and guidelines. We have elaborated these per recommendation below, including how an IAM system can help. We illustrate this using HelloID, an example of a modern Identity-as-a-Service platform (IDaaS).

Implement an authorisation matrix. In such an authorisation matrix, all access rights for all systems in use must be recorded. It must be clear which information is necessary for which employees to do their jobs. Such a matrix must be sufficiently detailed and kept up to date. Based on this, you can use appropriate authorisation measures to prevent unauthorised access to personal data. If a celebrity is in your hospital, you want to prevent the entire workforce from browsing the medical record.

The ‘IAM role’ in this recommendation: To implement this GDPR recommendation in a workable way, a state-of-the-art IAM solution is required with Role or Attribute Based Access Control, referred to as RBAC in this document. Only with such a solution can you manageably ensure that everyone always has access only to the minimum necessary data and applications. You can also guarantee that when someone changes job or role, access rights are adjusted immediately. When an employee leaves the organisation, such an IAM solution ensures that access is blocked straight away. In addition, you can automate processes. Temporary accounts are automatically blocked again and before the system activates someone’s account, he or she must first accept the privacy rules online.

Use multi-factor authentication (MFA). It is recommended to use MFA for all systems where access control is configured. This is also advised for business chat services (such as WhatsApp) and email applications.

The ‘IAM role’ in this recommendation: With a modern IAM platform you can implement MFA effectively and fulfil this recommendation. A professional IAM solution can also make MFA context-aware. For example, you specifically enforce MFA when someone accesses sensitive personal data from outside the office or at unusual times. It is important to deploy MFA in a targeted way and to avoid so-called ‘MFA fatigue’.

Log access to systems. It is not only necessary to secure access to systems. It is also necessary to record events in systems. For example, who performed which processing activities on personal data, as well as unauthorised access attempts to systems and data. By analysing such logs, intrusions or attempts can be detected earlier and after a security incident, swift and targeted measures can be taken.

The ‘IAM role’ in this recommendation: The IAM environment also plays a central role here. With extensive logging functionality, it is always traceable which access attempts were made, when, and by whom. A good IAM solution is auditable at any time and can provide a status overview of all accounts issued, including access rights to applications, data, and other digital facilities. It is also traceable who requested an access right and who approved that request.

With the functions above, an IAM system can be a powerful tool for organisations to comply with the GDPR and other privacy laws.

The key insights at a glance

The GDPR is a major improvement over earlier privacy laws. We now protect privacy in the same way throughout Europe, and privacy in digital services is much better safeguarded. There are several points of attention to ensure that your organisation remains compliant with the GDPR:

Ensure that for all personal data you process, you know the purpose of the processing, that it aligns with one of the GDPR legal bases, and that you have documented this properly. Transparency is extremely important in the GDPR.
Ensure that you fully inform the individuals whose data you use. Request consent where required and ensure that both the consent and the stored data can be retrieved. Also ensure that you can answer users’ questions and delete data upon request.
Use Role Based Access Control (RBAC) as much as possible. In RBAC, a person’s access rights are automatically linked to their role within the organisation. This ensures that only those employees who genuinely need personal data for their work have access. It also ensures that employee accounts are disabled in good time to prevent unlawful access via those accounts. A modern IAM system such as HelloID has RBAC built in.
Implement Multi-Factor Authentication (MFA) to add an extra layer of security to system access. Especially for personal data, and certainly for special category personal data, this adds an extra lock on the door to prevent data breaches.
Ensure that your IAM system has extensive logging and reporting capabilities. In the event of a data breach, you must act within 72 hours and be able to determine who has access to which data and when specific data were accessed.