The GDPR: only one more year to go!

The countdown has really begun! On 25 May 2018, the European General Data Protection Regulation, better known by its abbreviation “GDPR”, will become applicable. The GDPR was adopted on 27 April 2016 and entered into force on 4 May 2016. However, Member States and undertakings are granted a two-year transitional period to comply with the new provisions.

The reason for this is clear: the GDPR entails a plethora of new obligations. Moreover, most European – and that includes Belgian – undertakings today are not yet compliant even with the old legislation with regard to the processing of personal data, because of the lack of monitoring and the absence of sanctioning. This will change under the GDPR; as is customary at EU level, sanctions will be available: the GDPR provides for hefty administrative fines that can amount to EUR 20 million or 4% of the yearly worldwide turnover of an undertaking, and the Belgian Privacy Commission would be competent to impose such sanctions.

How can undertakings become completely “GDPR proof”? To this end, the following road map can be used:

Step 1: Map it!

Firstly, it is important that undertakings form a clear picture of all the data processing that takes place in their organisation, by country and by department (e.g., Sales or Marketing). All these processes must be thoroughly mapped. This can be done by means of a detailed questionnaire that gathers together information about, among others, the objectives, the period of preservation, the categories of processed data, if those data are transported to third countries, how data are protected.

Before you can start with this phase, it is best to appoint one or more responsible persons for this project. The answering of these questions will require team work and a good follow-up. Ideally, such a team should be composed of people from your Legal, HR and IT departments.

Step 2: Draw up an audit report!

On the basis of the answers given, a schematic report can be drafted in which the undertaking can immediately identify which areas are under control and which issues still need to be tackled.

Step 3: Draft the necessary documents and policies!

On the basis of the information that the report provides, the required documents and policies can be drafted. These might include the privacy notice, whether or not with permission, agreements with processors, standard contractual clauses for the transfer of data to third countries, the new register for processing, an ICT policy, a camera policy, a whistle-blower policy, a procedure in case of data being lost (data breach).

Step 4: Ready to implement!

Finally, the project must be spread out over the entire undertaking. Training will be crucial, tailored to the activity of the undertaking.

If you have not yet started with this, do note that time is pressing, given that each of the four steps is quite time-consuming.

We wish you good luck with this. The Claeys & Engels data protection team is always ready to assist you with this, together with our European colleagues of Ius Laboris.