New privacy laws

Developments in technology are accelerating. Privacy is a hot topic in this regard. Viewers of the Netflix series "Black Mirror" probably still have the examples on their literal minds where technology tangles painfully with privacy. Professional ethics are becoming increasingly important in IT. How is privacy regulated now and what will change soon?

Apps and privacy

Zooma builds apps. We do this for our clients. Apps offer useful tools and functionalities. To do this, an app needs data. For example, where a user is located or the app requests data stored in the phone or tablet. An app can send push messages, can group, store or even provide data to other parties. All this, of course, to provide the user with a great experience or up-to-date information. But it must be clear exactly what happens to the data, and how the user's privacy is guaranteed.

Processing personal data

As a service company, you quickly have personal data on your hands. Think about information about your customers. If you keep that data, you are already processing personal data. You then have to deal with privacy legislation. Currently, this is regulated by the Personal Data Protection Act (Wbp). The Wbp provides rules on security, registration, consent, documentation and retention periods, among other things.

General Data Processing Regulation.

As of May 25, 2018, the Wpb will be replaced by a new law: the General Data Protection Regulation (AVG) Implementation Act. With this, largely the same rules will apply across Europe. The AVG means an expansion of users' privacy rights, and more responsibilities on the part of personal data processors. The Personal Data Authority supervises compliance with the AVG.

Basic principles

A number of basic principles apply to the processing of data. For example, it must be done lawfully, fairly and transparently, no more data may be processed than necessary for the purpose, the data must be accurate, not kept longer than necessary and secured appropriately.

Consent

Under lawfulness, it was already mandatory to obtain the user's prior consent to process personal data. In the AVG, the way consent can be obtained is more tightly regulated. Organizations must be able to prove that they have obtained valid consent. And users must be able to withdraw consent just as easily.

Stricter rules apply to certain categories of personal data. Processing the BSN number, for example, requires legal authority. If the processor does not have it, that body may not process this data. Consent or not.

Right to oblivion

In addition to having the right to object to processing and demand rectification of inaccurate data, users have the right to have their personal data deleted: the right to be forgotten. In doing so, they can require the processor to pass this on to all the other organizations that have received this data from those affected organizations.

Portable data

Users have the right to see their data, but with the AVG, they also get the right to receive their personal data in a standard format. This will allow them to easily use their data for new service providers.

Accountability

Companies need to be able to demonstrate more compliance with the law and all the basics. Processes must be recorded and technical measures are required. Do you have a record of what data you process and can you account for it? Does your staff know what to do in the event of a data breach? You may also need to appoint a data protection officer (FG) within the company and conduct a Data Protection Impact Assessment (DPIA).

Who is ultimately responsible?

Zooma builds apps on behalf of our customers. We provide an IT service, namely the use of an app we build. The build, or source code, is in the App/Play Store and remains the property of Zooma. An app, once downloaded, uses data from the user. This data is stored with the client or on Zooma's servers. Who is responsible for the careful processing of personal data?

The law states that the person "who determines what personal data is collected, for what purpose it is collected and how it is collected" is the responsible party. In many cases, this is our client. It is the one who conceived and financed the app and is therefore usually seen as responsible by regulatory bodies. But because there is a collaboration between Zooma and the client, we consider compliance with privacy laws to be a joint responsibility. We therefore address this issue together with our client.

Want to know more?

This little article is a tip of the iceberg. At Zooma, we are prepared for the new AVG and are happy to assist our clients on this topic. Want to know more about apps and privacy? Feel free to contact us.