Before you start preparing for the GDPR and its implementation, it is important to find out whether you come under its scope of application.

Most companies and individuals use automation to process personal data, or they do it manually in a database. But if you aren’t sure about this, use our GDPR checker to find out whether or not you come under the GDPR’s scope of application.

If you do, it is best to follow the step-by-step plan below to prepare for the GDPR:

Step 1: Familiarising yourself with the GDPR and its terminology

The first step in your preparations must always be to obtain the necessary knowledge on the matter. To be able to estimate your obligations correctly, you must at least master the general principles and the correct terminology, such as ‘party responsible for processing data’, ‘personal data’, etc. Read more about this in all our blogs. Or you can call in a privacy specialist.

Step 2: Setting up a data register

Organise an internal audit that analyses all personal data and the processing carried out. In the first place, this will give you a clear picture of what is being done with the data at your organisation. And secondly, this means you will be fulfilling a major new obligation in the GDPR, i.e. maintaining a register of your data processing activities.

Step 3: Facilitating the exercising of rights by the parties concerned

Identify the legal bases for processing from the register you have set up. The most frequently-occurring legal bases are: consent from the parties concerned, the need to conclude a contract, and your company’s justifiable interests.

Notify the parties concerned of your processing activities in the correct manner. To do this, you may have to re-evaluate your existing privacy statement. Implement internal procedures if a party concerned requests access to their data, or requests rectification or deletion of the data, or requests that its processing be limited. To do this, engage an internal or external person who will be responsible for this. In some cases you will also have to ensure that the data is transferable (‘data portability’).

Implement procedures to trace, report and investigate data leaks; this should be done beforehand. In addition, you can also draw up the necessary document and a contingency plan, and you can even hold a trial run if you so wish.

Step 4: Appointing a DPO

After you have gained a clear insight into the processing activities at your company and examined and/or implemented the most essential procedures, you should check whether you have to appoint a DPO. Click here to check whether you are obliged to appoint a DPO.

Step 5: Make sure your employees are kept informed

Even the best data protection policy is useless unless your employees comply with it in their daily activities. In practice, we have found that the majority of data leaks are caused by an internal employee rather than e.g. a third party acting with malicious intent.[1] In addition, severe sanctions may be imposed under the GDPR in the event of non-compliance with its obligations. For this reason, you must make sure that your employees are properly trained and kept up to date. Read more about the advantages of e-learning.

Step 6: Reviewing the working of your organisation

Consider how you can implement the concepts of privacy by design and privacy by default. Firstly, this means that data protection principles will have to be incorporated into new processing projects and secondly, it means that the standard settings may only process a minimum quantity of personal data. In addition, you must carry out Privacy Impact Assessments (PIAs) for certain projects. This refers to activities that constitute a risk to natural persons’ rights and liberties, such as large-scale systematic monitoring of spaces open to the public (e.g. car parks) or large-scale processing of data relating to health, etc.

Consider whether your contracts with subcontractors still provide sufficient guarantees, certainly in the case of the international transfer of data.

[1] UK Information Security Breaches Survey 2015

The General Data Protection Regulation (GDPR) is a European “law” that will enter into force on 25 May 2018. The GDPR applies to companies and government bodies. It concerns the protection and management of personal data of website visitors, prospective clients, clients, employees, etc. If you do not comply with the GDPR, you risk incurring an astronomical fine.

To avoid incurring such fines, here are the 5 major obligations you have to comply with:

  1. The GDPR imposes new obligations on companies and government bodies

If, when the General Data Protection Regulation enters into force on 25 May 2018, your company is obliged to comply with this law, you will have to maintain a register of your data processing activities. This register will replace the duty to report to the Privacy Commission (Read more about the difference between the General Data Protection Regulation (GDPR) and the Privacy Act).

In addition, the duty of responsibility includes a requirement to carry out Privacy Impact Assessments (PIAs)during high-risk projects. This refers to activities that constitute a risk to natural persons’ rights and liberties, such as large-scale systematic monitoring of spaces open to the public or large-scale processing of data relating to people’s health, etc.

If any incidents occur, e.g. your database is hacked or you yourself accidentally put this database online, you will be obliged to report this within 72 hours to the Privacy Commission and to the relevant persons themselves in some cases.

Companies will have to implement Privacy by Design & Default. Firstly, this means that data protection principles will have to be incorporated into new processing projects and secondly, it means that the standard settings may only process a minimum quantity of personal data.

To ensure that all this proceeds smoothly, you may be obliged to appoint a Data Protection Officer (DPO)click here to see whether you are obliged to do this.

  1. The GDPR assigns new rights to the parties concerned

“The parties concerned” are you and me, in fact this refers to all identified and identifiable natural persons to whom personal data relates. For example, if you use Facebook, you are one of the parties concerned.

As a party concerned, you have certain rights such as the right to Data Portability, which is the right to have all your personal data transferred from one processor to another, in exactly the same way as you would do with your phone number. Another right is ‘the right to be forgotten’, which means that you as a party concerned are entitled to have your personal data deleted if its processing is no longer justifiable. For example, this would be the case if an organisation no longer requires your data for its original purpose. (Click here to read more about the other rights of parties concerned)

  1. The GDPR sets more stringent conditions for obtaining consent

In many cases it is essential for an organisation to obtain consent from the parties concerned with respect to processing their personal data. Such consent must be obtained by means of a declaration or an active unambiguous action such as signing, ticking a box, etc.

  1. The GDPR sets more stringent transparency regulations

If your organisation processes personal data, it has to notify the party concerned of this processing and inform them of the purpose for which it requires their personal data and the parties to which it will pass on this data, etc. Formally speaking, your organisation’s privacy policy must be available on your website in a concise, transparent, comprehensible and easy-access form, and it must be phrased in clear and simple language.

 

  1. The GDPR clarifies data security obligations

Data security is on corporate agendas more than ever before, certainly if this concerns personal data because the damage to people’s image may be immense. But the GDPR also obliges companies to protect personal data by implementing appropriate technical and organisational measures. These measures include e.g. encrypting and pseudonymisation, having audits carried out and ensuring backup & redundancy.

Do you have any doubts or queries about how GDPR applies?

Please feel free to contact us. We can quickly provide clarity on the application of the GDPR and/or how this will affect your company or organisation.

The GDPR and the Privacy Act both relate to the processing of personal data. The new European ‘law’, i.e. the GDPR, will eventually replace the obsolete Belgian law in the future.

The five major differences between the two are listed below:

1.    The GDPR has a much wider scope of application

At territorial level, the GDPR applies as a regulation throughout the entire European Union (hereafter: ‘EU’). Moreover, even non-EU companies may come within its scope of application if they sell products or services to EU citizens. With respect to content, too, the same text – including its translation into the 24 languages of the EU – is the sole regulation that applies throughout the entire EU. There is hardly any margin for individual member states to depart from the European standard.

The Privacy Act, on the other hand, is – as its name suggests – an Act and applies exclusively in Belgium. However, the Privacy Act is a consequence of the 1995 European Directive, which ensures that the main points of the EU’s data protection legislation are the same as regards content. But the differences were still big enough to induce the EU legislator to intervene in view of the free traffic of data within the EU.

2.    More drastic sanctions

Under the Privacy Act, the monitoring authority (the Privacy Commission in Belgium) is completely ineffectual. But the GDPR will enable this authority to impose astronomical administrative fines of up to € 20,000,000 or 4% of the global annual turnover. In addition, this authority is currently being given more resources for effectively investigating and correcting situations, such as an option for conducting on-site investigations.

Those concerned will also be able to submit complaints against the party responsible for processing data and the data processor more easily with effect from 25 May 2018; this can be done via a sort of ‘class action’ after this date as well.

3.    Data leaks

Under current legislation, there is no obligation to report data leaks to the Privacy Commission in Belgium unless you are a telecom operator. This state of affairs will change drastically when the GDPR enters into force. In the event of a data leak, you will have to report this within 72 hours and in some cases you will have to notify the relevant parties personally that their data has been leaked as well.

4.    The GDPR now targets sole suppliers (processors)

Although the Privacy Act only imposes obligations on parties responsible for processing data, the GDPR now targets sole suppliers as well. For example, if a company compiles your contact details in order to send you newsletters, such companies often outsource the actual sending of these newsletters to a marketing or communications agency. Pursuant to the GDPR, these agencies will also have to adhere to certain regulations such as guaranteeing data security.

5.    Appointing a DPO

The GDPR will create a new type of job, i.e. the Data Protection Officer (DPO; this has the somewhat laborious title of functionaris gegevensbescherming in Dutch). This person will be responsible for compliance with the GDPR at a certain company or government body. If you’d like to know whether you are obliged to appoint a DPO, you can use our handy DPO checker.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR, or Algemene Verordening Gegevensbescherming AVG in Dutch) is a European ‘law’ on personal data protection. It is a new ‘law’ and practically all companies or government bodies will have to deal with it.

What does the GDPR apply to?

The GDPR applies to companies and government bodies that process personal data in connection with the activities of their business locations in the EU. In other words, these organisations use certain data relating to natural persons. This refers to e.g. storing such data, deleting it or sending it to third parties. Examples include your own employees’ HR data or your clients’ contact details.

For instance: Your employees travel about in cars whose geolocation is tracked by your organisation or by a third party. If you record who is driving which car at what time, or if it is at least possible to discover this, the GDPR will apply to you.

However, the GDPR also applies to companies that are not established in the EU if these companies sell goods or services to persons residing in the EU (e.g. a Chinese company doing this via a web shop), or monitor their behaviour (e.g. an American social network).

Why has the EU implemented the GDPR?

Firstly, the purpose of the GDPR is to give the persons concerned (greater) control over data relating to them. In this respect, their fundamental rights – such as the right to privacy – play a major role.

The fact that the European legislator is giving this matter priority is evident from the astronomical fines to be imposed: up to € 20,000,000 or 4% of the global annual revenue.

Secondly, the GDPR makes it easier for companies because a uniform legal framework has been elaborated which applies throughout the entire European Union.

When will the GDPR enter into force?

The GDPR will enter into force on 25 May 2018. You must make sure you have coordinated all your activities with the new obligations in this regulation to avoid risking sanctions being imposed.

How can I fulfil the new obligations in the GDPR?

You will find the most important new obligations in the GDPR in our blog.

Do you have any doubts or queries about how the GDPR is applied?

Please feel free to contact us. We can quickly provide clarity on the application of the GDPR and/or how this will affect your company or organisation.