GDPR compliant in 10 steps
The General Data Protection Regulation applies to all companies that process personal data of EU citizens. In practice, this includes almost every company, even the smaller ones - anywhere in the world. The European Union sees 'personal data' as a very broad concept. IP addresses, cookies and Twitter handles, for example, are also considered personal data.
Many GDPR principles are the same as those of the now superseded Belgian Privacy Act. As a business, it’s important to take action, as the penalties for non-compliance with the GDPR are huge. There are therefore plenty of reasons to follow the step-by-step plan below. We are very pleased to help you on your way to becoming GDPR compliant!
1. Raise awareness among your employees
Not just you, but all the other employees in your company or organisation should be aware of the GDPR and the associated regulations. It’s essential to assess the impact of the GDPR and to map out the necessary changes within your company or organisation.
If necessary, organise an evening information session, workshop and the like for your employees to ensure they are - and remain - well informed.
2. Set up a data register
As part of the documentation requirement, each company has to create a data register (see also step 3). If you ever experience a data leak, you have to present that register to prove that you have followed the rules.
In a data register, you create an overview of the personal data you are processing. You also state where the data come from and with whom they will be shared. Such a data register must provide an accurate overview at all times.
3. Perform the necessary research
Processing personal data is only permitted if the data are necessary to provide your services, if you have a legal obligation or if you have received permission to do so. This is referred to as purpose limitation or data minimisation.
Take a very critical look at why you are collecting data and whether you really need the data. Personal data must also not be stored indefinitely. For example, you need to explain why you would want to keep records of prospects or resumes of job applicants for n years.
4. Check the consent
How exactly do you ask for someone's consent to process their personal data? The GDPR states that consent must be free, specific, informed and unambiguous. For example, having to provide your location information when you want to use the torch on your smartphone is not free consent, because your smartphone does not need your location to show you where you are going.
Consent must also be evidenced by active action. For example, there can be no question of valid consent if it is the result of a pre-ticked tick box.
Besides asking for and obtaining consent, registering the consent is also important. This is because the consent must be verifiable. You must be able to prove in retrospect that you received the right consent to process each personal data item you process.
If you want to process the personal data of minors, you need specific consent from the parent or guardian.
5. Communicate about privacy
Fine-tune your communication about data processing and make adjustments where necessary. The GDPR requires that all your information be concise, understandable and clear.
Besides the data processor's identity and the way the data are used, you also have to provide the following information:
- Why are you permitted to process these data? (see step 3)
- How long are you going to keep them?
- Are you going to exchange the data with a party outside the European Union?
- How can someone file a complaint with the Privacy Commission?
Tip: Also check how long you can keep which types of information (varies from country to country).
6. Reflect on every new process or product
‘Privacy By Design' is the standard to be used in the context of the GDPR. This means that to develop (new) products and services such as websites, you must take into account Privacy Enhancing Technologies (PET). You can do this by pseudonymising personal data or by limiting the access rights to the personal data, for example. As soon as data are anonymised, they are no longer considered personal data and the privacy rules no longer apply. This is very useful if you want to process big data.
Tip: If you are implementing new high-risk processes, you should definitely carry out a Data Protection Impact Assessment or DPIA.
7. Provide a procedure
If you are already very familiar with the personal data rights of individuals, create a document to keep this process on track or to incorporate it in your IT systems. Some things you should bear in mind are:
- Right to be informed of and receive the personal data
- Right to rectification and erasure of data (= right to be forgotten)
- Right to object to direct marketing practices, automated decision making and profiling
- Right to data portability: everyone should be able to retrieve their personal data in a commonly used electronic format
8. Create a data disaster plan
The GDPR states that you need to determine solutions in advance in the event things go wrong with your data. You should therefore build adequate procedures to quickly detect, investigate and report data breaches (for example to the Privacy Commission). Larger companies and organisational structures should have the appropriate policies in place to manage data breaches. In some cases, the data subjects themselves (whose data have been leaked) will also have to be informed.
If you do not comply with this reporting requirement, an additional penalty may be added on top of the penalty for the data breach.
9. Appoint a Data Protection Officer (DPO)
Consider whether or not you should appoint a DPO. Governments and other agencies routinely observing personal data on a large scale are required to appoint a DPO. This can also be an external advisor.
10. Check your data streams
If you are processing data outside the European Union (e.g. data stored on a server in the US), then you need to check whether that country has the same kind of data protection regulations as the EU. This is only the case for a limited number of countries. You should therefore check your data flows and make sure that everything is contractually in order with all parties involved. It is always advisable to seek the assistance of a specialist.
If you have any questions, comments or suggestions on the GDPR, do not hesitate to contact us.