Is privacy protection sufficiently embedded in the backbone of your organization?

The General Data Protection Regulation (GDPR) was introduced on 25 May 2018 in the EU.

Many organizations have already indicated through email, (social) media and their websites that they have implemented the GDPR. It is not entirely clear WHAT exactly has been implemented.

We generally see that the implementation of the GDPR is mainly focused on the security of personal data and on the preparation / replacement of processing agreements and renewal of privacy statements.

The question is to what extent the GDPR is implemented in the ‘genes’ of the organization.

In other words, to what extent are the employees aware of the principles of the GDPR and the ‘appropriate technical and organizational measures’ based on them and are the employees able to act accordingly?

Article 5 of the GDPR, which contains the principles of privacy protection, is the basis of the GDPR regarding the processing of personal data. These principles are explicitly or implicitly reflected in a number of important articles that deal in greater detail with the processing of personal data. For example, in article 25 [Data protection by design and by default] the principles of purpose limitation, storage limitation, integrity, confidentiality and data minimization are implicitly included.

It therefore seems obvious that an organization starts the implementation of the GDPR by drawing up a strategic privacy policy plan, in which the principles per stakeholder are clearly defined. This enables the organization at department level to unambiguously implement the other relevant articles for business operations at department level in systems, procedures and contracts.

Nevertheless, this ‘top-down’ approach appears to be an exception rather than the rule in practice. Many organizations have introduced the GDPR ‘rule-based’ by solving various issues on an ad hoc basis. The risk of this approach is that each department gives its own interpretation to the principles that are ‘hidden’ in an article.

This raises the question of the extent to which an organization is mature in the field of privacy protection.

Maturity does not appear from a paper implementation and / or ‘window dressing’ of a privacy statement, without the organization being adequately equipped for compliance.

Maturity must be apparent from the degree of assurance and demonstrability of appropriate technical and organizational measures on the one hand and their actual compliance within the organization on the other.

Maturity can be divided into 5 levels (derived from ISACA / CMMI), with each level representing a certain degree of risk. The higher the maturity level, the less risk is run on:

  1. data breach of a person’s privacy,
  2. the risk of an administration fine / damage compensation and
  3. directors’ liability.

‘When it was first announced that the GDPR would introduce fines of up to 20 million Euros, directors across the EU paid attention. It is now clear that fines of this level will be reserved for the most flagrant and damaging breaches of the data protection principles. Even so, there is a range of regulatory, reputational and, therefore, commercial consequences for any organization which fails to meet the higher standards of responsibility created by the GDPR. For this reason, data protection has become a priority within the board room. Under the GDPR, there is a range of criminal offences relating to data protection including unlawfully obtaining, disclosing or selling data and various offences relating to the exercise of the Supervisory Authority’s statutory powers, including altering or destroying data with the intention of preventing disclosure of information to a data subject. Directors may be liable for the criminal offences of the company where these were committed with their “consent, connivance or neglect.” Whilst prosecutions of directors under the DPA have been rare, directors should be conscious of the possible criminal offences which an organization may commit and the possibility of the Supervisory Authorization prosecuting individuals.’ [derived from Kingsley Napley, law firm, blog Emily Carter].

Do you want to know how you experience maturity in the area of ​​privacy protection within your organization? Then do the test below!

Perception test.pngTo get a good idea of ​​the privacy protection in your organization, it is advisable that more colleagues of yours do this test. The more colleagues do the test, the clearer the general perception of how the organization protects privacy.

Choose the answer that you think is closest to the way your company protects privacy.

Are you curious about the score? Follow this blog!

A score table will be published next time. Based on this you can calculate your score.

With this score you can determine your perception of the maturity level of your organization regarding privacy protection.

6. Define Integrity

6. integrity

Personal data must be processed in a way that ensures appropriate security of that data.

Responsible for implementing the principle of integrity in the organization (mainly the implementation of Article 32 up to and including Article 36 GDPR) is the Chief Security Officer (CSO), or similar role or function.

Processing of personal data takes place whereby adequate (electronic) security is guaranteed.

Integrity means that an unauthorized person is unable to change, add, delete personal data.

Personal data are protected if it is not feasible to change them during transport without such changes being immediately apparent to the recipient.

Encryption and pseudonymization are means to achieve this.

Integrity means maintaining the consistency, accuracy and reliability of data throughout the life cycle.

Data Integrity is the guarantee that digital information is not damaged and can only be opened or modified by those who are authorized to do so.



PLASTICFAD is the acronym of the GDPR principles as defined in article 5 GDPR.

The acronym and accompanying icons are attempts to bring these principles to the attention of the data subjects and other stakeholders of the GDPR.

It is intended to support communication.

The controller can, on this basis, fulfill his lawful duty to provide transparent information to the data subject.

For example, by defining an organization-wide privacy protection policy that can be rolled out in a structured and traceable way within the organization.

This rollout mainly concerns the implementation of all articles of the GDPR that relate to the rights of the data subjects and the obligations of the controller and other stakeholders involved.

The data subject is able to take notice of the acronym and icons to understand the principles in an accessible way.

The day after May, 25, 2018? Privacy Protection Day (PP-day)

The EU-wide privacy protection games shall start on May 25 2018.

And the bet is high!

What is the value of the advice from your privacy professionals to become compliant with the GDPR on PP-day?

Is your organization really compliant on the day after?

Certify your organization to be sure!

[42] Article 42 of the GDPR allows an organization collecting and / or processing personal data to be certified: “demonstrating compliance with the GDPR of processing operations by controllers and processors.”

What is ‘acting in accordance with the GDPR’?

[24] This is explained in more detail in Article 24 of the GDPR: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.”

In Article 24 GDPR the accountability of the controller is specified.

What does the accountability relate to?

[5] This accountability is initially linked in Article 5 to the principles of the GDPR:

The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 [the principles] (‘accountability’). ”

In other words, acting in accordance with the GDPR means correct compliance with the specified and implemented principles of the GDPR in the organization.

What does the implementation of the principles referred to in Article 5 of the GDPR relate to?

[83] Article 83 indicates the sanctions that apply to the non-correct compliance of the GDPR:

Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:

  • the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, and 42 and 43.”


“Breaches of the following provisions shall be subject to administrative fines up to EUR 20 000 000 in accordance with paragraph 2 or, for an enterprise, up to 4% of the total worldwide annual turnover in the previous accounting year if this figure is higher:

  • the basic principles for processing, including conditions for consent, pursuant to Articles 5, 6, 7 and 9;
  • the data subjects’ rights pursuant to Articles 12 to 22;
  • the transfers of personal data to a recipient in a third country or an international organization pursuant to Articles 44 to 49;”

What does certification relate to?

Certification GDPR concerns the ensuring and demonstration of correct compliance with the articles referred to in Article 83, which fall within the penalties.

5. Define Transparency

5. transparencyIt should be transparent for data subjects that personal data concerning them are collected, used, consulted or otherwise processed and to what extent personal data are processed or will be processed. In accordance with the principle of transparency, information and communication related to the processing of such personal data should be easily accessible and comprehensible, and clear and simple language should be use

  • especially when the information is specifically intended for a child;
  • in combination, if necessary or desirable, with standardized pictograms to provide an easily visible, understandable and clearly legible overview of the intended processing.

This means that existing ‘fair processing notices’ or ‘privacy policies’ included in, for example, documents, online forms, apps or websites, or tucked away in general terms and conditions or of such a general nature, that no meaningful information is provided, must be replaced. .

Transparency goes beyond existing requirements and although much of the information is similar, some additional information is required.

Compliance with these requirements therefore probably requires resources, the level of which will depend on:

  • what information is currently being provided to individuals;
  • whether that information is a true reflection of the processing that is being undertaken (a thorough knowledge of data flows will be fundamental to making that assessment)
  • how that information is currently being communicated to the individual.

A controller should provide sufficient information to ensure that the data subject understands the processing and, where necessary, is able to make informed choices about the processing of his personal data.

The amount of information provided to the individual depends on the risk to the rights and freedoms of the individual.

The greater the risk, the more detailed and informative the information must be. Similarly, the more complicated the processing activities, the more consideration is needed to make the information clear and informative for the target group (read: category of stakeholders).

The way in which the information must be provided must be ‘provided’ to the data subject, rather than being ‘available’ to him. A data subject also has the right to request that the information be provided to him orally.

4. Define Storage limitation

4. storage limitation

Personal data are stored in a form that makes it impossible to identify the data subjects for longer than is necessary for the purposes for which the personal data are processed.



Organizations will have to take into account the wide range of rights enjoyed by data subjects in the framework of the GDPR and how this may affect their data retention considerations.

Therefore it is recommended to identify the categories of data subjects of the organization and to specify them according to the several processing purposes.

It is important that the controller should formulate a policy to:

  • establish retention periods that apply to data processed for any different purpose;
  • implement an appropriate retention policy;
  • meet and monitor compliance with respect to the retention policy.

And such policies should at least answer the following questions:

  • Which categories of stakeholders and personal data are covered by the principle of storage restriction?
  • Who is responsible for those data categories?
  • Who has specific obligations under the policy regarding storage restriction?
  • In addition to data protection legislation, which other rules, codes or practices should be considered when formulating the storage restriction policy?
  • When should data be stored legally and when should they be deleted?

When should certain data be exempted from the principle of storage restriction, e.g. in connection with a pending case in court?

3. Define Accuracy

A Principle based approach

‘Principle Based’ Implementation of the GDPR starts with defining an organization-wide privacy protection policy, wherein all PLASTICFAD principles are addressed in combination with all stakeholder categories.

The principles in Article 5 are reflected in a number of important articles of the GDPR, such as Articles 6 to 9, 12 to 22, 25, 30 and 32.

Many organizations which lack an organization-wide privacy protection policy, will likely implement the GDPR ‘rule based’ (= strictly based on the articles of the GDPR) on the departmental level.

The risk of this approach is that each department determines its own interpretation of how an article should be explained for its business operations. Consequently, this approach can lead to differences in interpretation and inconsistencies, as a result of which the costs of implementation can not be adequately controlled.

These problems can be avoided by clearly defining the principles at the strategic level on which the implementation of the underlying articles of the GDPR will be based.

The principles ‘Purpose Limitation’ and ‘Lawfulness’ were explained in my previous blogs and today we’ll have a look at the principle ‘Accuracy’.


Accuracy means that personal data elements which are incorrect in view of the purposes for which they are processed must be deleted or rectified without delay.

The data must be as accurate, complete and up-to-date as is necessary to fulfill the specified goals.


The controller should therefore:

  • take all reasonable steps to ensure that personal data are correct;
  • ensuring that the source of personal data is clear;
  • be aware of which infringements may occur on the accuracy of personal data;
  • ensuring that the collected personal data remain up-to-date and complete and, if necessary, corrected or supplemented.

The accuracy of personal data is closely related to the purpose for which they were collected and processed.

Poor quality personal data can have a significant negative impact on the efficiency of an organization, while high-quality data is often crucial to a company’s success.

Some of the main ways in which the accuracy of personal data can be identified and improved are shown here:

Accurate data sources

The controller must identify the correct data sources, both internally and externally, to determine and improve the quality of incoming data. Incorrect data may be the result of the migration of data from one database to another, the presence of incorrect values ​​or even time-related data changes. It is important to determine the cause of incorrect data.

Set data quality targets

It is important that companies set realistic goals to improve data quality. Top management must understand the basic problems that affect the accuracy of their data and set realistic goals. The personal data must be examined on the basis of:

  • efficient data capture,
  • data entry and
  • effective coding.

Avoid overload

A manager must ensure that the people involved in the data entry process are not pressured to deliver expected results from the beginning. If data entry specialists are overloaded with work, this can lead to errors when entering data.

View the data

Review is an efficient way to check the accuracy of the data. The controller must include an efficient way to check and verify the data entered.

It is always good to hire a team of quality assurance professionals who can assess the data and help to largely reduce data errors.

Automate error reports

Using advanced software is always a plus. Generating automated error messages is a common practice among leading companies today.

Determining accuracy standards

The controller should adopt very robust quality standards for data entry, such as:

  • matching,
  • geo-coding,
  • data monitoring,
  • data profiling,
  • linking.

This ensures that the data entered meets predefined data standards that in turn help improve the data quality.

Create a good working environment

Having a good and healthy working environment helps employees to make fewer mistakes and therefore has a direct influence on the accuracy of the data. The controller is responsible for providing data entry professionals with a healthy working environment that helps maintain their focus.

Next time, we’ll focus on the principle of Storage Limitation. Please follow my posts to stay informed. Feedback and comments are appreciated!

2. Define Lawfulness


The processing of personnel data must be based on a legal basis, taking into account the general standards of decency (fairness) and that the processing is transparent (transparency, see below) for the data subject.

2. lawfulness

The processing is only lawful if:

  1. the data subject has given his consent to the processing of his personal data for one or more specific purposes;
  2. the controller can demonstrate that the data subject has given permission for the processing of his personal data, whereby:
    -> a request for permission is presented in a comprehensible and easily accessible
    form and presented in clear and simple language;
    -> the data subject has the right to withdraw his permission at any time;
    -> that withdrawal of consent is as simple as giving it;
    -> if parent consent is required: verification of the parent / guardian;
  3. the processing is necessary for the performance of an agreement to which the party concerned is party;
  4. the processing is necessary to comply with a legal obligation resting on the controller;
  5. the processing is necessary to protect the vital interests of the data subject or of another natural person:-> race or ethnic origin;
    -> political views;
    -> religious or philosophical beliefs;
    -> the membership of a trade union;
    -> genetic data;
    -> biometric data with a view to the unique identification of a person;
    -> health data;
    -> data relating to a person’s sexual behavior or sexual orientation;
  6. the processing is necessary for the fulfillment of a task of general interest;
  7. processing is necessary for the representation of the legitimate interests of the controller or of a third party.

1. Define Purpose Limitation

In order to set up an organization-wide Privacy Protection Policy you’ll have to map out the categories of your stakeholders initially.

After all, each category can be subject to a different purpose.

For example,  a hospital can process personal data of patients, cleaners, nurses, specialists, suppliers, etc …

All these categories will each have a different processing purpose.

1. purpose limitation

1. Define Purpose limitation

Personal data may be collected for (1):

  1. specified,
  2. explicit and
  3. legitimate purposes and

(2) may not be further processed in a way incompatible with those purposes.

We can work out the above aspects as follows.

I. Target specification

Target specification is the core of the legal framework set for the protection of personal data.

First of all, the goal must be specified to enable the implementation of all necessary data protection safeguards and to define the scope of the processing.

Personal data may not be collected if they are not necessary, sufficient or relevant to the purpose or purposes that are intended.

It is therefore a necessary precondition for specifying the specific reason(s) for which the collection of personal data is required.

Target specification therefore sets limits to the purposes for which personal data may be collected and used.

This also helps to establish the necessary safeguards for data protection.

Target specification requires a continuous internal assessment by the controller and is a necessary condition for accountability.

Target specification is the first step that the organization must follow to ensure proper compliance with the GDPR.


II. Unambiguous and clear goal

Second, the goal must be sufficiently unambiguous and clearly expressed.

Comparison of the term ‘explicit purpose’ with the concept of ‘hidden purpose’ can help.

The purposes must be clearly disclosed, explained or expressed in an intelligible form.

From the analysis of the target specification it follows that this must take place at the moment that the collection of personal data takes place.

What is meant must be clear and leave no doubt or not difficult to understand.

The specification of the targets should be expressed in particular in such a way that they are not only understood in the same way by the controller (including all relevant staff) and by external processors, but also by the data protection authorities and the relevant data subjects.

The requirement that the goals are specified ‘explicitly’ contributes to transparency and predictability. It allows unambiguous identification for the way in which the collected personal data can be used, with a view to protecting the data subjects.

This in turn reduces the risk that the expectations of those involved will differ from the expectations of the controller.


III. Legitimate

Personal data must only be collected for legitimate purposes.

This means that the purposes must be in compliance with all provisions of applicable data protection legislation, as well as other applicable laws such as labor law, contract law, consumer protection legislation, and so on.

The requirement of legitimacy means that the goals must be ‘in accordance with the law’ in the broadest sense of the word.

This includes all forms of written and customary law, primary and secondary legislation, municipal decrees, judicial precedents, constitutional principles, fundamental rights, other legal principles, as well as jurisprudence, since such ‘law’ would be interpreted and taken into account by competent authorities.

Within the legal limits, other elements such as customs, codes of conduct, ethical codes, contractual arrangements and the general context and facts of the case may also be considered to determine whether a particular purpose is legitimate.

This includes the nature of the underlying relationship between the controller and the data subjects, whether commercial or otherwise.

Main GDPR articles in which the principle of Purpose Limitation is explicitly addressed:

25 – Data protection by design and by default

30 – Record of processing activities

35 – Data protection impact assessment

40 – Codes of conduct