Privacy & data processing
The General Data Protection Regulation simply explained
Data Breache notification obligations, privacy shield, nGeneral Data Protection Regulation, Legal Cases against Facebook, … Companies are flooded nowadays with news about privacy and data protection and the number of questions that have come to us about privacy-related issues has been in constant rise since early 2016.
The European General Data Protection Regulation (GDPR) is in effect since 25 May 2018 and has substantially changed the way in which companies handle -or should handle- “personal data” or personal data.
This affects ALL companies, associations and government agencies. After all, everyone has a customer database, a marketing database or a mailing list for newsletters in which “personal data” is kept. In other words, not only web shops or online businesses must take the new rules into account, they are there for everyone …
What is GDPR
What is GDPR?
The current Privacy Law dates from 1992 and is now 27 years old. The world, however, has changed since then and so has the internet, the way we deal with data and the entire economy and society in which we live.
There was little or no online marketing in 1992. Big data, profiling, social media, e-commerce, … are all concepts that have arisen in recent years and which the old privacy legislation could not or insufficiently take into account.
New legislation has therefore been urgently needed for several years and it is logical that the European Union should create an appropriate legal framework in the form of the “General Data Protection Regulation”, precisely because of the changed economic and technical world in which we live today.
Objectives of GDPR?
The new General Data Protection Regulation is made to guarantee uniform protection of privacy rights in the current technological reality. The EU felt this was necessary because of the continuing globalization, the differences in protection between member states in Europe and because of the need for simplifying administrative obligations for companies.
When do the new rules apply?
The final text of the GDPR was approved within the EU on 8 April 2016.
The new rules have entered into force on May 25, 2018. From that date, every company or organisation should be “GDPR compliant”
To whom does the GDPR apply?
The simple answer: the GDPR applies to almost ALL companies, associations and government bodies in the EU.
The GDPR applies to anyone who processes personal data in an automated or structured way. Personal data is all data that allows to identify someone (eg a name, address, customer number, but also IP addresses, online markers, …).
The GDPR is not IT regulation
Many entrepreneurs have the wrong impression that the GDPR is an IT issue. Nothing is less true. GDPR compliance affects your entire company.
What does the GDPR mean for your company
The GDPR considerably expands the obligations for companies and the rights for data subjects. We have summarized the main novelties that you should take into account in 5 chapters:
1. Privacy Impact Assessment
The first and most important task for companies is to perform a Privacy Impact Assessment within their company. A Privacy Impact Assessment is actually a risk audit within your company, which mapps which data you use, where the data is located within the organization, who has access to it and where there are potential risks of loss or theft. Based on this Privacy Impact Assessment you will have to adjust your organization on an organizational, technical and/or legal level.
2. Data processing agreements with all suppliers (and/or customers)
GDPR will also have an impact on the services and tools that your company uses in the future. Both contract partners and software tools or online services that you work with must be GDPR compliant in the future and must guarantee this in a written contract. This also applies to all kinds of cloud solutions. So check all your current agreements, arrange for contracts where they do not yet exist and make the necessary adjustments to existing contracts.
3. Data breach notification obligation
The GDPR asks for a mandatory reporting obligation for data breaches. A data breach is not just a hacking of your database. Any incident that may have an impact on the security of your data, such as a stolen laptop or the loss of a USB stick, must potentially be reported to the government (or even directly to the people involved in some cases!) within 72 hours. Anyone who reports leaks too late may be liable for the damage incurred.
You must therefore implement appropriate procedures within your company to detect and report data breaches as quickly as possible.
4. Stricter rules regarding data collection
You have to take into account a whole series of new rules concerning the way in which you collect and process data. These new rules concern the way in which you obtain the consent of the data subject, the way in which you deal with minors, the building of profiles (for marketing or other purposes), the rights of the data subject to object to the processing of their data or to gain access to their data, data portability, …
Moreover, a whole series of principles are introduced and are limiting the way in which personal data is used. For example, each use must be limited in time, data may only be used for those specific purposes that were communicated to the user when collecting data, only the information that is strictly necessary may be collected.
All of this is supplemented by general principles such as privacy by design and privacy by default, which require that every website, every app, every piece of software that is written, is always based on the maximum protection of the persons whose data will be processed with it.
This means that a thorough investigation of your database is necessary to ensure that the new rules are compliant.
5. Data Protection Officer
The Data Protection Officer is a person within the company who is responsible for supervising compliance with privacy legislation. He will advise on new software, use of database, etc … He will also be the contact person with the government in case of data breaches, for example.
Not every company is obliged to appoint a DPO. You need a DPO in the following cases:
- Your company or organization is a government agency?
- Your main activity is the processing of personal data or you process personal data on a large scale?
- You process special categories of sensitive data such as race, political preference, religion or medical data?
In many cases it is useful for (larger) companies that fall outside these categories to nevertheless appoint a DPO. The DPO can also be an external service provider and in most cases it is even recommended to hire someone externally for reasons of independence of the person in question, but also for liability reasons.
How to prepare your company for the GDPR
You have by now understood that the GDPR has a major impact on the operations of your company.
First and foremost, a Privacy Impact Assessment must be carried out, together with an action plan to eliminate the pain points from this PIA.
Based on the results of that PIA, adjustments are required in current contracts, privacy policies, employment contracts, internal company policies, insurance policies, …
Based on the same Privacy Impact Assessment, structural adjustments may be needed within your teams (restricting access to data, introducing security procedures, policies for using your own devices, …).
In addition, many IT adjustments may be required.
An adjusted data breach procedure must be inserted.
Your company will have to keep a journal of data processing activities.
Sirius Legal naturally assists its clients in this. Together with some experienced IT partners and BA partners, we offer tailor-made compliance processes for small, medium-sized and large companies.
Compliance audit packages
All companies are different. That is why at Sirius Legal we have compliance services tailored to your company, ranging from a simple toolbox that can be used by small entrepreneurs to an extensive in-house audit for large organizations.
Education and training
A compliance process only has a real chance of success if all stakeholders within the company fully cooperate. To achieve this, everyone within the company must be aware of the GDPR exercise you are making. To ensure this, we provide in-house training tailored to the needs of your company:
Data Protection Officer services
Sirius Legal also provides DPO services for small and medium-sized companies.
We offer you tailor-made professional assistance by experienced and trained lawyers with experience in IT and data protection.
We are happy to look at the needs of your company on an individual basis and work out a customized offer. Our DPO services are offered in the form of long-term collaborations based on the availability of a number of hours per week / month within your company or remotely, depending on your needs.
Our team of lawyers is happy to answer all your questions about GDPR and privacy.
Use the contact form below or call us on +32 2 721 13 00