The General Data Protection Regulation (GDPR) is a European “law” that will enter into force on 25 May 2018. The GDPR applies to companies and government bodies. It concerns the protection and management of personal data of website visitors, prospective clients, clients, employees, etc. If you do not comply with the GDPR, you risk incurring an astronomical fine.

To avoid incurring such fines, here are the 5 major obligations you have to comply with:

  1. The GDPR imposes new obligations on companies and government bodies

If, when the General Data Protection Regulation enters into force on 25 May 2018, your company is obliged to comply with this law, you will have to maintain a register of your data processing activities. This register will replace the duty to report to the Privacy Commission (Read more about the difference between the General Data Protection Regulation (GDPR) and the Privacy Act).

In addition, the duty of responsibility includes a requirement to carry out Privacy Impact Assessments (PIAs)during high-risk projects. This refers to activities that constitute a risk to natural persons’ rights and liberties, such as large-scale systematic monitoring of spaces open to the public or large-scale processing of data relating to people’s health, etc.

If any incidents occur, e.g. your database is hacked or you yourself accidentally put this database online, you will be obliged to report this within 72 hours to the Privacy Commission and to the relevant persons themselves in some cases.

Companies will have to implement Privacy by Design & Default. Firstly, this means that data protection principles will have to be incorporated into new processing projects and secondly, it means that the standard settings may only process a minimum quantity of personal data.

To ensure that all this proceeds smoothly, you may be obliged to appoint a Data Protection Officer (DPO)click here to see whether you are obliged to do this.

  1. The GDPR assigns new rights to the parties concerned

“The parties concerned” are you and me, in fact this refers to all identified and identifiable natural persons to whom personal data relates. For example, if you use Facebook, you are one of the parties concerned.

As a party concerned, you have certain rights such as the right to Data Portability, which is the right to have all your personal data transferred from one processor to another, in exactly the same way as you would do with your phone number. Another right is ‘the right to be forgotten’, which means that you as a party concerned are entitled to have your personal data deleted if its processing is no longer justifiable. For example, this would be the case if an organisation no longer requires your data for its original purpose. (Click here to read more about the other rights of parties concerned)

  1. The GDPR sets more stringent conditions for obtaining consent

In many cases it is essential for an organisation to obtain consent from the parties concerned with respect to processing their personal data. Such consent must be obtained by means of a declaration or an active unambiguous action such as signing, ticking a box, etc.

  1. The GDPR sets more stringent transparency regulations

If your organisation processes personal data, it has to notify the party concerned of this processing and inform them of the purpose for which it requires their personal data and the parties to which it will pass on this data, etc. Formally speaking, your organisation’s privacy policy must be available on your website in a concise, transparent, comprehensible and easy-access form, and it must be phrased in clear and simple language.


  1. The GDPR clarifies data security obligations

Data security is on corporate agendas more than ever before, certainly if this concerns personal data because the damage to people’s image may be immense. But the GDPR also obliges companies to protect personal data by implementing appropriate technical and organisational measures. These measures include e.g. encrypting and pseudonymisation, having audits carried out and ensuring backup & redundancy.

Do you have any doubts or queries about how GDPR applies?

Please feel free to contact us. We can quickly provide clarity on the application of the GDPR and/or how this will affect your company or organisation.

This post is also available in: Dutch

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *