What you need to know about GDPR
The Personal Data Protection ACT BES
The Personal Data Protection ACT BES (Wbp BES, by its Dutch acronym) has been in effect in the Caribbean Netherlands since October 10, 2010. To comply with the privacy laws of the Caribbean Netherlands, you must meet at least the following requirements.
The General Data Protection Regulation
The General Data Protection Regulation (GDPR) will come into effect in the European
Netherlands on May 25, 2018. We advise taking additional measures for data exchange
between Caribbean Netherlands and European Netherlands.
Principles
Be sure to comply with the principles of the Wbp BES when processing personal data, as these are in line with those of the GDPR.
Consent
If you process personal data based on the data subjects’ consent, these data subjects should understand what they are consenting to. The GDPR contains stricter rules on consent. You must be able to demonstrate that you have received the subject’s valid consent to process his or her personal data. Condition: Data subjects must be able to withdraw their consent just as easily as they were able to provide it.
Processing agreement
If you outsource your data processing to a third-party processor, be sure to do so based on a processing agreement. Assess whether your current processing agreements meet the requirements under the GDPR and, if not, make any necessary adjustments.
Overview of data-processing activities
Identify what personal data you process and for what purpose, where these data come from and whom you share them with. WHY: You want to be able to demonstrate that your processing of personal data is carried out in accordance with the applicable regulations. You will also need this information if a data subject (the person concerned) invokes his or her privacy rights (access, correction, deletion).
Privacy officer
Under the GDPR, organizations are required to appoint a Data Protection Officer (DPO). This is not a requirement for the Caribbean Netherlands. However, if you process special personal data or if you process personal data on a large scale, it is advisable to appoint a privacy officer for your organization. To determine if that is the case for your organization, you may carry out a privacy-impact analysis to identify your data-processing risks, which will then allow you to take any necessary measures to reduce such risks.
Privacy by design en privacy by default
Make sure to incorporate the applicable privacy standards into your work processes. Make sure that the data is adequately protected (organizational and technical measures). This is also compulsory under the Wbp BES.