The first question that may come to mind is: why should I care about The Netherlands issuing privacy policy guidelines? The answer is simple.

The Netherlands — and all other 27 EU member states’ DPAs — hold the same or equal authority in issuing interpretations of the General Data Protection Regulation (GDPR). As a result, a U.S. or Canadian company should care because it places you squarely within the requirements of the law and how you should react when you are crafting a privacy policy.

[bctt tweet=”The Netherlands — and all other 27 EU member states’ DPAs — hold the same or equal authority in issuing interpretations of the GDPR.” username=”AOTMP”]

It is important to note that even though the GDPR is a European Union law, it affects businesses around the globe. 

The Dutch Data Protection Authority, or Autoriteit Persoonsgegevens, issued the following six recommendations for any corporate privacy policy as required by Article 24.2 of the GDPR.

The guidelines issued are as follows:

  • assess whether they are under an obligation to implement a privacy policy, based on their processing activities (according to Article 24 of the GDPR, such assessment must be made taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons);
  • use internal and/or external expertise (in this respect, the Dutch DPA states that companies’ data protection officers can play a role in implementing privacy policies);
  • draft their privacy policy in one document to avoid fragmentation of information about data processing;
  • draft specific and concrete privacy policies (a data protection policy should be a concrete reflection of the principles of the GDPR as simply reiterating the principles of the GDPR is not sufficient);
  • raise awareness (although this is not a requirement under the GDPR, the Dutch DPA recommends publishing privacy policies to ensure that data subjects are aware about how companies handle their personal data); and
  • consider implementing a privacy policy even if it is not required, to demonstrate the organization’s willingness in protecting individuals’ personal data.

The original report is located here:

This post was written in conjunction with the AOTMP® Efficiency First® Framework’s Regulatory Compliance and Risk Management core activities. 

Efficiency First® Framework v3.0 is the standard for measuring telecom, mobility, and IT management Center of Excellence maturity. It defines a comprehensive set of strategic performance measures, tactical diagnostic measures, and best practice principles used to optimize Center of Excellence business value. Enterprise organizations adopt the Framework and vendors align solutions to Framework principles.

To learn more about our Efficiency First® Framework, click here.