Since the General Data Protection Regulation (GDPR) was implemented in 2018, organisations are required to comply with regulations concerning the processing of personal data. Privacy experts within the Information Security and Privacy Protection Center (CIP) network have developed the ‘Privacy Top 10’ factsheet.
This factsheet provides guidance for responsible and secure handling of data and information. Data Protection Officers (DPOs) and other privacy professionals can use the ‘Privacy Top 10’ within their organisations. Its purpose is to boost organisation awareness and encourage responsible behaviour among staff.
The top ten
The ‘Privacy Top 10’ factsheet on the CIP website (in Dutch) features concise descriptions of the ten most important topics from the field of privacy and the GDPR. It provides a quick overview of key considerations and privacy risks:
- Understanding personal data according to the GDPR: All information directly related to or identifiable to an individual.
- There are six legal bases for processing personal data: Consent, contract, legal obligation, vital interests, public interest, and legitimate interest.
- Special category data: This data is more confidential than ‘ordinary’ personal data. Special category data is granted additional protection in the GDPR.
- Examples of special category data: Race or ethnic origin, political opinions, religious beliefs, health data, sexual behaviour/orientation, and biometric data.
- Secure personal data processing: Data must be processed securely to prevent loss, corruption, or (further) unauthorised processing.
- Privacy policy requirement: Organisations that process personal data must have a privacy policy outlining measures to comply with legislation.
- Processing register: Every public organisation must maintain a register of processing activities with information about the personal data processed by the organisation.
- Data processing agreement: Clarifies roles and responsibilities when engaging another organisation for data processing.
- Right of access: Individuals have the right to access, request modifications, and deletion of personal data an organisation holds about them.
- Data breach notification: Breaches must be reported to the Dutch Data Protection Authority (AP) within 72 hours if they pose a risk to individuals.
The factsheet is based on version 3.3 of the CIP’s Privacy Baseline (in Dutch), which translates GDPR requirements into practical and manageable standards for effective implementation and application.