Thank you ACRON (Association of Contract Research Organisations in the Netherlands) for the opportunity to run your members through the steps needed for GDPR-compliance
2. 2.
Collected for
specified, explicit
and legitimate
purpose
3.
Adequate,
relevant and
limited to what
is necessary
4.
Accurate and
up-to-date
5.
Identifiable only
for as long as
necessary
6.
Secure
1.
Fairly, lawfully
and
transparently
processed
GDPR Personal
Data Principles
4. Personal data
Do you process personal data?
Data is personal if it relates to an identified or
identifiable individual
- For example: name, ID/BSN numbers, physical addresses, online
identifiers (like IP addresses or cookies)
One-man-owned entities (ZZPers) are viewed as
individuals
Any sensitive personal data?
5. Mapping the data flow
Examples of where personal data may come from?
Websites Newsletters Memberships
ABC B.V.
HR
6. Processing the data
What do you do with the data?
‘Process’ means
collect, record, organise, structure, store,
adapt, alter, retrieve, use, restrict, disclose,
erase, destroy.
What type of processing organisation are you?
‘Controller’ determines the purpose of the data and
the way in gets processed
‘Processor’ only processes on instruction of the
Controller
7. Purpose of Processing
Why are you processing the personal data?
Defining the purpose is the cornerstone to
establishing whether you are respecting GDPR
principles:
Collecting more data than is needed to achieve your purpose
= Breach of data minimisation principle
Storing data for longer than you need to achieve your purpose
= Breach of storage limitation principle
8. Legal basis for Processing
Are you allowed to process the data?
Consent
Performance of a contract
Legitimate interest of Controller
Legal obligation
Protection of vital interests
Public interest
9. Outsourced Data Processing
Any third party Processors?
If so, are written agreements in place?
Any international transfer of data?
- If yes, adequate protection levels need to be met by
ensuring transfer is per Privacy Shield Framework or EU
Standard Contractual Clauses
10. Security of data
What safety measures are in place?
Technical & Organisational security
measures taken?
Data Breach Response Plan in place?
Third party processor capable of
implementing?
11. Document findings
Remedial measures required?
REGISTRY of Data Processing Activities
- Cornerstone of your Data Protection Strategy
- Action items demonstrate your continual working
towards compliance
- Reviewed regularly and is constant work in progress
COMPLIANT