The General Data Protection Regulation (GDPR) enters into force on May 25th, 2018. Signed on April 27th, 2016 this Regulation aims to protect individuals about the processing of their personal data and to allow the free movement of such data.
The regulation aims to establish a common framework on data processing throughout the European Union. Thus, data protection and portability must meet the same rules from one country to another. “Concretely, the GDPR applies to any structure, company, non-profit organisation or public entity, in Europe or elsewhere, that processes personal data - that is to say, any information enabling an individual to be identified - in the European Union" explains the lawyer Jacquelin d'Oultremont.
What are the obligations?
Some aspects of the GDPR are common sense, since personal data, for example, must be processed legally, transparently and collected for a specific, explicit and legal purpose.
“However, you must be careful of certain specificities, such as the consent of the person concerned, which must be voluntary. This means that check-boxes checked in advance are prohibited on websites" says the attorney at law d’Oultremont.
All organizations will have to verify that their processes, contracts and general terms and conditions of sale are following the GDPR. Among others, they must be able to respect the right to forget or the right to data portability.
Organisations must be able to demonstrate, on request, the effectiveness of the technical and organisational measures in place. All of them will also have to carry out Data Protection Impact Assessments (DPIA) prior to the processing of data likely to pose a high risk to the rights and freedoms of whom is concerned. In practice, these audits will reveal the particularity and seriousness of the risk incurred, to determine any appropriate measures to comply with the GDPR. These processing operations must also be reported to the supervisory authorities (the Commission for the Protection of Privacy, in Belgium). Even though fines are foreseen for non-compliance, the objective pursued by the Regulation is clearly more constructive than repressive.
For public authorities, or in the case of large-scale data processing, a Data Protection Officer (DPO) is mandatory. The person must be independent of the hierarchy and properly trained. Its mission is to advise and accompany the organisation on the GDPR, monitor compliance and act as a point of contact with the supervisory authorities. Even if it is not always mandatory, having a DPO is highly recommended as it will be the key person for your compliance.
In addition, companies with more than 250 employees or processing "sensitive" data will be required to set up a register of data processing operations. "This threshold of 250 employees has been set up to consider the special situation of associations and small and medium-sized companies."
How to comply with the GDPR?
You can do this within your structure, since the DPO's hierarchical independence requirement still allows him/her to be an employee. The appointed person will then be responsible for monitoring compliance. In this regard, some training courses can help him to understand the full impact of the GDPR on your organization.
Another solution is to outsource this to organisations such as law firms, freelancers and other structures familiar with the GDPR that can help you through the various stages of compliance.
Information provided by: