GDPR is now effective

Patrick Soenen
Insert Featured Image Caption

GDPR is now effective

On 25th May the new European Global Data Protection Regulation (GDPR), related to the protection of personal data, became applicable. 

We would like to draw your attention to 10 major facets of the new regulation:

  • Do you have a legal foundation for all processing activities of personal data? There is no issue when personal data is collected for a contractual agreement (e.g. as a service provider), if it is required for a legal obligation (antimony laundering) or for the vital interests of the data subject (e.g. a medical intervention). However, for marketing activities, even with your actual customers, you will need to obtain their consent.  You should be able to evidence the provided consent.  And the consent has to be given in a free, specific, informed and unambiguous manner by means of a statement or an unambiguous positive affirmative action 
  • Ensure that the data subject can exercise their user rights. The data subject must be able to access the personal data you detain, within 30 calendar days, freely and in an easy way. He has the right to be forgotten, if there is no legal obligation imposing you to keep the personal data. Data subjects may object against marketing profiling. Personal data may not be kept for longer than needed for the processing purpose and should be removed afterwards.
  • Ensure that the processing activities are described in an internal register. This document contains a description of the personal data, the related processing activities and the purpose of the processing. 
  • If you are a public authority, or you are processing personal data on a large scale, or you a processing on a regular basis sensitive data (such as health related information), you are obliged to appoint a DPO (Data Protection Officer).
  • Are you protecting your personal data in an adequate way?  An information security policy containing the adequate protection measures should be developed, deployed and communicated. Ensure data is exchanged in a secure way with your external parties.
  • In case of high risks for the data subjects, an impact analysis should be performed, where the risks are evaluated and appropriate mitigation actions will be taken. 
  • When a data breach occurs, implying the disclosure of personal data, the Data Protection Authority and the impacted data subjects needs to be informed within 72 hours.
  • Your website and all documents used for the collection of personal data should contain information about the purpose of the processing, the data retention periods, de coordinates of the DPO and the destination of the information (i.e. third parties receiving or having access to the personal data. 
  • The contractual agreements with all third parties processing personal data, should contain GDPR compliant clauses related to the instructions, eventual subcontracting, the confidentiality of the processing and the measures to be taken at the contract exit.
  • Personal data transferred outside of the European Economic Area should be covered by appropriate safeguards, such as Binding Corporate Rules.

We can support you through the following activities: 

  • Organisation of GDPR-awareness sessions for het management and the staff;
  • Execution of an impact analysis allowing to map the risks and to formulate recommendations. 
  • Elaboration of a GDPR-roadmap;
  • Coaching and support of the GDPR-project;
  • DPO as a Service 
  • Establishment of the internal register of personal data processing activities;
  • Implementation of GDPR-processes (data subject rights, data breach notification…).

We remain at your disposal for any additional request of question.