The General Data Protection Regulation applies to all companies that process personal data of EU citizens. In practice, this includes almost every company, even the smaller ones - anywhere in the world. The European Union sees 'personal data' as a very broad concept. IP addresses, cookies and Twitter handles, for example, are also considered personal data.
Many GDPR principles are the same as those of the now superseded Belgian Privacy Act. As a business, it’s important to take action, as the penalties for non-compliance with the GDPR are huge. There are therefore plenty of reasons to follow the step-by-step plan below. We are very pleased to help you on your way to becoming GDPR compliant!
Not just you, but all the other employees in your company or organisation should be aware of the GDPR and the associated regulations. It’s essential to assess the impact of the GDPR and to map out the necessary changes within your company or organisation.
If necessary, organise an evening information session, workshop and the like for your employees to ensure they are - and remain - well informed.
As part of the documentation requirement, each company has to create a data register (see also step 3). If you ever experience a data leak, you have to present that register to prove that you have followed the rules.
In a data register, you create an overview of the personal data you are processing. You also state where the data come from and with whom they will be shared. Such a data register must provide an accurate overview at all times.
Processing personal data is only permitted if the data are necessary to provide your services, if you have a legal obligation or if you have received permission to do so. This is referred to as purpose limitation or data minimisation.
Take a very critical look at why you are collecting data and whether you really need the data. Personal data must also not be stored indefinitely. For example, you need to explain why you would want to keep records of prospects or resumes of job applicants for n years.
How exactly do you ask for someone's consent to process their personal data? The GDPR states that consent must be free, specific, informed and unambiguous. For example, having to provide your location information when you want to use the torch on your smartphone is not free consent, because your smartphone does not need your location to show you where you are going.
Consent must also be evidenced by active action. For example, there can be no question of valid consent if it is the result of a pre-ticked tick box.
Besides asking for and obtaining consent, registering the consent is also important. This is because the consent must be verifiable. You must be able to prove in retrospect that you received the right consent to process each personal data item you process.
If you want to process the personal data of minors, you need specific consent from the parent or guardian.
Fine-tune your communication about data processing and make adjustments where necessary. The GDPR requires that all your information be concise, understandable and clear.
Besides the data processor's identity and the way the data are used, you also have to provide the following information:
Tip: Also check how long you can keep which types of information (varies from country to country).
‘Privacy By Design' is the standard to be used in the context of the GDPR. This means that to develop (new) products and services such as websites, you must take into account Privacy Enhancing Technologies (PET). You can do this by pseudonymising personal data or by limiting the access rights to the personal data, for example. As soon as data are anonymised, they are no longer considered personal data and the privacy rules no longer apply. This is very useful if you want to process big data.
Tip: If you are implementing new high-risk processes, you should definitely carry out a Data Protection Impact Assessment or DPIA.
If you are already very familiar with the personal data rights of individuals, create a document to keep this process on track or to incorporate it in your IT systems. Some things you should bear in mind are:
The GDPR states that you need to determine solutions in advance in the event things go wrong with your data. You should therefore build adequate procedures to quickly detect, investigate and report data breaches (for example to the Privacy Commission). Larger companies and organisational structures should have the appropriate policies in place to manage data breaches. In some cases, the data subjects themselves (whose data have been leaked) will also have to be informed.
If you do not comply with this reporting requirement, an additional penalty may be added on top of the penalty for the data breach.
Consider whether or not you should appoint a DPO. Governments and other agencies routinely observing personal data on a large scale are required to appoint a DPO. This can also be an external advisor.
If you are processing data outside the European Union (e.g. data stored on a server in the US), then you need to check whether that country has the same kind of data protection regulations as the EU. This is only the case for a limited number of countries. You should therefore check your data flows and make sure that everything is contractually in order with all parties involved. It is always advisable to seek the assistance of a specialist.
If you have any questions, comments or suggestions on the GDPR, do not hesitate to contact us.