The General Data Protection Regulation (AVG). , introduced in May 2018, has many obligations and requirements. We walk through these using five domains, each with its own AVG obligations. This analysis model is not only useful during the implementation of the AVG, but also helps to check whether the organization is fully compliant with the requirements with the measures implemented.

At first glance, the AVG seems like a big, opaque pile of obligations, rules and prescribed documents. As a first step toward regulation, it is important to realize that the AVG is about two concepts: demonstrability and transparency.

You must demonstrate that your organization is compliant with the AVG, meaning that all requirements are met. An example is the register of processing activities. With this register, you make it clear that all ways of processing personal data have been mapped out, that the organization knows what data is being processed, by whom, in what systems and what measures have been taken to protect this data.

The second is that the AVG requires transparency: it must be clear what data you are processing and why you are processing it. In the privacy regulations on your website, for example, you make it known which personal data are collected, what the purpose of this is and what legal basis is used to collect this data.

To organize the mush of obligations and rules, in this book I use the privacy framework from IT consulting firm Centric. This is a handy model for implementing the obligations of the AVG. It also serves as a check to assess whether your organization is compliant with the AVG or if there are still "gaps. The framework breaks down privacy into five domains.

The privacy framework

Re 1 - Compliance

Compliance is complying with the AVG and demonstrating compliance with privacy obligations. This includes all obligations imposed on organizations by the AVG.

To become compliant with the AVG, the register of processing activities is the starting point. This register maps out all the ways in which data is processed, how it is carried out and by whom. The register is also the basis for the privacy regulations to be drawn up, to assess whether a processor agreement is necessary or what happens if data subjects want to exercise their rights.

There are various software tools for this, but often a cleverly designed Excel sheet is all that is needed.

The register of processing activities shall include the following for each processing activity:

1. A description of the processing activity

2. The security measures in place

3. Whether there is a transfer of the data within or outside Europe

4. Where the data comes from

If there is a transfer of data to a third party, the data from that third party, i.e., the new processor, will be listed.

The processing activity should be specified in the register. An overly broad, generic formulation of a processing activity does not suffice. So not: 'Maintaining customer contacts', but: 'Sending a newsletter' or 'Issuing quotations'. Even 'Executing the employment contract' is too broad a description. This generic description can be split into, among others, 'making salary payments' and 'conducting appraisal interviews'.

Each description of a processing activity has the following elements:

• A brief description of the activity, for example, "Registering members of an association," "Executing employment contract," or "Sending newsletter to customers

• The group of individuals whose data is being processed, for example, "Members," "Employees," or "Customers

• The type of data captured, e.g., "Name," "Address," "Social Security Number

The type of data your organization processes is important to the legal basis you use to process it, its basis. Some categories of data, for example medical, may not be processed unless you meet certain conditions.

To gain insight into this, it is important to classify the data. Once you have a map of the data being processed, you can classify it: is it ordinary personal data or are special or sensitive data being processed? With the type of data you also indicate the classification.

• What is the purpose of capturing the personal data? For example, "Contacting members," "Paying salaries," or "Maintaining customer contacts.

In the register you record the purpose of the processing. Just collecting data from individuals is not allowed. Data must always be collected for a specific purpose - this is called purpose limitation.

If the purpose of the processing is clear, then you need to look at whether the processing meets the principles of proportionality, data minimization and subsidiarity. Is the processing proportionate to the purpose for which the personal data is being processed (proportionality)? Are no more data being requested than is necessary for the purpose (data minimization)?

And then subsidiarity: are the data really necessary to achieve the goal? Is there no other way to achieve the purpose without processing personal data? And is it necessary to collect this data in the way described for the purpose being served?

• The categories of processors: which functions process personal data? 'The secretary of the association'? 'Employees HR department' or 'Employees marketing'?

• Categories of data recipients. Who receives your organization's personal data? Just the organization that handles payroll or also the marketing agency that handles newsletter sending for you?

• The retention period: how long will personal data be kept?

For some data this is easy; they are subject to a legal retention obligation. For example, data from payroll records must be kept for five years and all invoices for up to seven years.

In addition, for some data, only a legal indication is given as to what is a reasonable retention period. For example, the reasonable retention period for data of a job applicant is "one month after the end of the application process" and data of a staff member is destroyed two years after leaving employment. The retention periods here are guidelines; they can be deviated from.

So the AVG does not give deadlines, but it does require them to be established and adhered to.

• Data storage: where and how is the data stored? Are personal data stored on a form in a folder? Are employment contracts stored digitally on the server? And in which software package is all customer data stored?

The framework uses the concept of information containers (IC) for data storage. ICs are the media on which personal data are stored, the carriers of personal data. These can be databases, but also paper lists. The concept is useful for assessing the necessary technical and organizational measures. After all, each IC will call for its own measures. In addition, it helps to identify the risks of processing. When personal data transfers from one IC to another, there will always be a risk.

• The basis: what is the legal basis for processing the personal data? Are we allowed to process the data?

Unlike the first eight points, for which you are free to phrase them however you want, the AVG gives only a limited number of bases you may use.

The AVG has six bases; you must always use one of these bases when processing personal data.

1. There is consent from the person whose data is being processed.

2. It is necessary to process data in order to execute a contract. This includes data processed in the run-up to the conclusion of the contract, the so-called pre-contractual phase.

3. It is necessary to process data because you are required to do so by law. This applies, for example, if the police order you to hand over personal data or if you have to fulfill a tax obligation.

4. It is necessary to process data to protect vital interests. This applies, for example, when a person is unconscious and danger is imminent. The person in question cannot consent to the processing of their data, but on this basis it is still permitted.

5. It is necessary to process data to perform a task of public interest or public authority. An example is the municipality having cameras installed to increase security through camera surveillance.

6. It is necessary to process data in order to protect your legitimate interest. You have a legitimate interest if your interest outweighs the fundamental right to privacy of the person whose data you are processing.

In practice, basis 1 (consent) and 2 (execution of agreement) will be used most often. Justifiable interest is a basis that I believe can be used more often, instead of the basis consent.

In Chapter 6, I discuss the advantage of the legitimate interest basis over the (too) widely used consent basis.

Re 2 - Transparency

The transparency domain is mainly about transparency in terms of the rights and obligations of data subjects under the AVG.

First of all, there is a duty to inform the data subjects. You must inform them that you are processing their data, exactly what data you are processing, what the basis for doing so is, and how long you keep the data. This is all included in the privacy statement, which also lists a number of things from the compliance domain.

Data subjects also have a number of rights: the right to access, rectification, data erasure and data portability.

The framework also puts "logging" under the domain of transparency. Who had access to what data when, and what did that person do with it? From the AVG this is not explicitly mentioned, although you could put it under the required technical measures. Either way, to have a grip on personal data, logging and tracking log data is essential.

Re 3 - Security

Security management in the broad sense is about protecting an organization's assets, such as buildings, systems, data and databases. Assets are protected by identifying them, documenting them and implementing protective procedures.

The AVG focuses this on the personal data held by the organization. The law requires that appropriate technical and organizational measures be taken. Those measures must be balanced with the size, type of organization and type of data being processed. Classifying data from the compliance domain and determining threats and vulnerabilities determine whether a measure is appropriate.

The AVG lists a number of specific concerns:

• Pseudonymizing and encrypting data;

• The confidentiality, integrity, availability and resilience of the systems;

• The speed with which the availability of and access to personal data are restored after a disaster;

• Periodically test, assess and evaluate the effectiveness of measures.

Technical and organizational measures from the security domain are also included in the registry.

Re 4 - Governance

The fourth domain is that of governance. This deals with all the structures and processes that ensure that the organization is demonstrably in control of the data being processed.

The AVG provides a number of processes and tools in this area: the processor agreement, a proper data breach procedure and the obligation to conduct a data protection impact assessment (DPIA) (see Chapter 8).

Re 5 - Organization

At the organizational level, the AVG expects a privacy policy to be formulated and privacy management processes to be implemented. In the privacy policy, not to be confused with the privacy statement, the organization describes what its policy is on privacy. Thus, this goes beyond the AVG; the organization states in this document how it thinks about privacy, what its views on it are and how it intends to deal with it. From the policy follow the processes necessary to implement the policy. The privacy policy is not a stand-alone document: it aligns with and reinforces the organization's mission, vision and strategy.

A privacy policy will only be successful if employees are privacy conscious. They must put the policy into practice. Therefore, the obligation under the AVG to create privacy awareness among employees falls into this domain.

This domain includes the appointment of a Data Protection Officer (FG). The AVG provides guidelines in which cases this is a requirement. The Dutch regulator has further fleshed out these generic rules in concrete terms.

When things go wrong: a German housing corporation

In October 2019, the data protection supervisor of the German state of Berlin imposed a fine of no less than 14,500,000 euros on a housing corporation. The reason for this fine was twofold.

The tenants' data were recorded in a computer system, but they could not be removed from it at a later date. The data that was captured could be classified as sensitive data; it concerned the finances and personal circumstances of the individuals involved, from pay slips and employment contracts to tax data and social insurance information.

In the supervisor's opinion, the housing corporation recorded more data for a longer period of time than was necessary for the purpose (purpose limitation). Although the housing corporation took measures for this, they were insufficient to comply with the AVG. When developing the software, the corporation had not sufficiently considered the protection of personal data, the principle of "privacy by design. As the processor responsible, the organization should have taken the privacy aspects into account from the beginning of the development of the software, so that data is not kept longer than necessary.