Privacy & Data Protection
The General Data Protection Regulation simply explained
Obligation to report data breaches, privacy shield, new privacy regulation or GDPR, lawsuits against Facebook, … Nowadays, companies are flooded with news about privacy and data protection and the number of questions that have come to us about privacy related issues continued to increase since early 2016.
The European General Data Protection Regulation (GDPR) is in effect since 25 May 2018 and has substantially changed the way in which companies handle -or should handle- personal data.
This affects ALL companies, associations and government bodies. After all, everyone has a customer database, an employee database, an accounting database, a marketing database or a mailing list for newsletters in which “personal data” is kept. In other words, not only webshops or online businesses must take the new rules into account, these are applicable to everyone …
What is GDPR
What is GDPR?
The previous Privacy Act was created in 1992 and stayed in force for 26 years. However, the world had changed since 1992. The Internet, the way we handle data and even our entire economy have changed dramatically.
Online marketing hardly existed in 1992. Big data, profiling, social media, e-commerce, … are all concepts that have arisen in recent years. The old privacy legislation could not take these concepts (sufficiently) into account anymore.
New legislation has therefore been a necessity for several years and it is logical that the European Union should create an appropriate legal framework in the form of the “General Data Protection Regulation”, precisely because of the changed economic and technical world in which we live today.
Objectives of GDPR?
The General Data Protection Regulation is designed to guarantee uniform protection of privacy rights in today’s technological reality. The EU felt this was necessary because of the ongoing globalization, the differences in protection between Member States in Europe and the need to simplify administrative obligations for companies.
When do the new rules apply?
The final text of the GDPR was approved within the EU on 8 April 2016.
The new rules entered into force on 25 May 2018. From that date, your company has to comply with the new rules. There is no transition period and all fines can theoretically be imposed from day one.
To whom does the GDPR apply?
The simple answer: the GDPR applies to just about ALL companies, associations and government bodies in the EU.
The GDPR applies to anyone who processes personal data in an automated or structured way. Personal data is all data you can use to identify someone (e.g. a name, an address, a customer number, but also IP addresses, …).
The GDPR is not IT regulation
Many entrepreneurs have the wrong impression that the GDPR is an IT issue. Nothing is less true. GDPR compliance affects your entire company.
What does the GDPR mean for your company
The GDPR significantly extends the obligations for companies and the rights for data subjects. We have summarized the most important new features to take into account in 5 chapters:
1. Perform a Privacy Impact Assessment
The first and foremost task for your company is to carry out a Privacy Impact Assessment within their company.
A Privacy Impact Assessment is a risk audit within your company, mapping out what data you use, where it is located within the organisation, who has access to it and where there are potential risks of loss or theft.
On the basis of this Privacy Impact Assessment you will have to adjust your organisation on an organisational, technical and/or legal level.
2. Provide written contracts with all your suppliers (and/or customers)
The GDPR also has an impact on the services and tools your company uses. Contract partners as well as the software tools or online services you use must be GDPR compliant and must guarantee this in a written contract. This also applies to all kinds of cloud services.
So check all your current agreements, make sure you have contracts where they do not yet exist and make the necessary changes to existing contracts.
3. Obligation to report data breaches
The GDPR includes a mandatory reporting requirement for data leaks. A data breach is not just a hacking of your database! Any incident that could have an impact on the security of your data, such as the theft of a laptop or loss of a USB stick, should potentially be reported to the government (or even directly to the people involved in some cases!) within 72 hours. Anyone who reports breaches late may be liable for the damages incurred.
You must therefore implement appropriate procedures within your company to detect and report data leaks as soon as possible.
4. Stricter rules on data collection
You have to take a whole new set of rules into account about the way you collect and process data. These new rules concern the way in which you obtain the consent of the person concerned, the way in which you treat minors, profile building (for marketing or other purposes), the rights of the person concerned to oppose the processing of their data or to access their data, data portability, …
In addition, a whole series of principles are introduced that limit the way in which personal data is used. For example, each use must be limited in time, data may only be used for those specific purposes that were communicated to the user when the data was collected, only the information that is strictly necessary may be collected.
All this is complemented by general principles such as privacy by design and privacy by default, which require that every website, every app, every piece of software that is written, is always based on the maximum protection of the persons whose data will be processed with it.
This means that a thorough investigation of your database(s) is required to ensure compliance with the new rules.
5. Data Protection Officer
The Data Protection Officer is a person responsible within the company for ensuring compliance with privacy legislation. He will give advice on new software, use of databases, etc… He will also be the contact person with the government in case of data breaches.
Not every company is obliged to appoint a DPO. You need a DPO in the following cases:
- Is your company or organization a government agency?
- Is the processing of personal data your main activity or do you process personal data on a large scale?
- Do you process special categories of sensitive data such as race, political affiliation, religion or medical data?
In many cases it is useful for (larger) companies that fall outside these categories to appoint a DPO anyhow. The DPO may be an external service provider and in most cases it is even advisable to engage someone externally for reasons of independence of the person in question, but also for liability reasons.
How to prepare your company for the GDPR
You have by now understood that the GDPR has a major impact on the operations of your company.
- First and foremost, a Privacy Impact Assessment must be carried out, together with an action plan to eliminate the pain points from this PIA.
- Based on the results of that PIA, adjustments are required in current contracts, privacy policies, employment contracts, internal company policies, insurance policies, …
- Based on the same Privacy Impact Assessment, structural adjustments may be needed within your teams (restricting access to data, introducing security procedures, policies for using your own devices, …). In addition, many IT adjustments may be required.
- An adjusted data breach procedure must be inserted.
- Your company will have to keep a journal of data processing activities.
Sirius Legal naturally assists its clients in this. Together with some experienced IT partners and BA partners, we offer tailor-made compliance processes for small, medium-sized and large companies.
Compliance audit packages
All companies are different. That is why at Sirius Legal we have compliance services tailored to your company, ranging from a simple self-service toolbox for small entrepreneurs to an extensive in-house audit for larger organisations.
Training and workshops
A compliance process only has a real chance of success if all stakeholders within the company cooperate fully. In order to achieve this, everyone within the company must be aware of the exercise that is about to take place. To ensure this, we provide many of our clients with in-house training tailored to their needs.
Data Protection Officer services
Sirius Legal provides DPO services for small and medium-sized enterprises.
We offer you tailored professional assistance by experienced and trained lawyers with experience in IT and data protection.
We are happy to look at your company’s needs on an individual basis and work out a tailor-made offer on that basis. Our DPO services are offered in the form of long-term partnerships based on an availability of a number of hours per week/month. We can work within your company or remotely, depending on your needs.
Our team of lawyers is happy to answer all your questions about GDPR and privacy.
Use the contact form below or call us on +32 2 721 13 00