The General Data Protection Regulation (GDPR) takes effect on 25 May 2018. In the Netherlands, these European regulations relating to the protection of individuals with regard to the processing of personal data are laid down in the 'Algemene Verordening Gegevensbescherming' (AVG).
The Directive has a major impact on European institutions, including KAS BANK. As part of our preparations we have set up a special GDPR project team.
28 Feb 2018
The aim of GDPR/AVG is to give natural persons more transparency and control over their personal data. Organisations are therefore expected to provide more security and controls to protect the use of personal data.
Multidisciplinary GDPR project team
As part of our preparations we have set up a special GDPR project team. Our GDPR team consists of compliance, IT, marketing specialists and lawyers and has been working on the the various project streams that have been identified in the gap analysis. With this integrated and multidisciplinary approach, our services will be fully in line with the GDPR/AVG as of 25 May 2018.
10 project streams
Within the GDPR project 10 streams have been identified.
Task: to inform all relevant persons within our organisation of the new legislation under the AVG/GDPR.
A GDPR impact analysis has been carried out for all our processes and services. Where necessary, they will then be adapted to the new regulations. Our employees are kept informed about the GDPR implications through awareness sessions and the impact for our clients.
- Rights of data subjects
Task: evaluate how privacy rights can be exercised.
Where necessary policies and procedures will be adapted to comply with the AVG requirements. These include right of access, rectification and deletion of personal data and data portability.
- Overview processing operations
Task: record in a register how and for what purpose KAS BANK records personal data.
Using this register we can identify where personal data has come from, why it is necessary and with whom it can be shared. In doing so, demonstrate that we are acting in accordance with the AVG (the "registration obligation").
- Data Protection Impact Assessment (DPIA)
Task: performing a Data Protection Impact Assessment (DPIA) is mandatory under the AVG.
The DPIA is a tool for identifying in advance the privacy risks relating to data processing and then taking measures to mitigate these risks.
Within KAS BANK, for new initiatives/projects or changes to existing processes and systems, a DPIA is always carried out to determine whether the processing of data may involve a privacy risk.
- Privacy by design and default
Task: when designing products and services (' privacy by design') that incorporate personal data this must be well protected.
Privacy by design and default means that technical and organisational measures are taken to ensure that by only personal data necessary for a specific purpose is processed. These measures are evaluated on a regular basis.
- Data Protection Officer
Task: The Data Protection Officer supervises the application and compliance with the AVG and GDPR.
We have an appointed Data Protection Officer who is also part of the GDPR project team.
- Duty to report data breaches
Task: draw up procedures to meet the AVG's requirements with regard to the recording of data leaks.
Both AVG and GDPR impose additional requirements regarding data leaks. We have already established the necessary procedures for this registration obligation.
- Processor agreements
Task: drawing up' processor agreements' under the AVG
We will send customised processor agreements to suppliers and customers when the data processing has been outsourced by KAS BANK, as data controller. These agreements will be sent out shortly. If necessary we will contact you directly regarding this agreement.
- Lead supervisor
For KAS BANK the leading supervisory authority in The Netherlands is the Authority for Personal Data. Our branches in the United Kingdom and Germany are also regulated by this authority.
Task: investigate and evaluate how consent is obtained from data subjects for the processing of their personal data.
Where necessary, permission will be updated to meet the AVG requirements.
Follow-up on GDPR
In the coming months, we will keep you informed about the progress of the implementation of the GDPR/AVG within our organisation.
For more information or questions, please contact our GDPR project team at FAQGDPR@kasbank.com.
UK Compliance Officer / Data Protection Officer
+44 20 7153 3632