The countdown has begun. On 25 May 2018, the European General Data Protection Regulation (“GDPR”), will become applicable.
The GDPR entails new obligations with regard to the collection and the processing of personal data but above all, the major change under the GDPR is the competence of the Belgian Data Protection Authority to impose heavy financial sanctions.
How can companies become completely “GDPR proof”? To this end, the following road map can be used:
- Step 1: Map the personal data collected and processed
Firstly, it is important that companies form a clear picture of all the data processing that takes place in their organization (databases of employees, of customers, emails etc.). All these processes must be mapped. The legal basis of the processing must be identified as the objectives of the collection, the period of preservation, the categories of processed data, the transfer of those data to third countries, etc.
- Step 2: Secure the collected and processed personal data
On the basis of the identified and mapped data, the lifecycle of the data must be organized and secured. Employees and contractors have to become aware of the importance of the collection of the personal data and their securitization.
- Step 3: Draft the necessary documents, adapt the agreements and the internal and external policies
Taking into account the new regulation, agreements and policies must be adapted. These might include the privacy notice, agreements with processors, standard contractual clauses for the transfer of data to third countries, the new register for processing, an ICT policy, a procedure in case of data being lost (data breach) etc.
If you have not yet started with this, do note that time is pressing. Our team is ready to assist you through these steps.
Guilmot & Bassine