Every company will know by now that the new European privacy rules take effect on 25 May 2018. The General Data Protection Regulation, or "GDPR" for short, thoroughly changes the rules regarding the processing of personal data. Eubelius has also been working hard over the past two years to prepare its customers for the GDPR.
Many companies are still busy preparing and will not (fully) meet the deadline of 25 May. The Belgian Data Protection Authority (formerly the Privacy Commission) has already emphasised that each company should at least have a clear plan by that date to ensure its compliance with the GDPR and will need to follow up on those efforts after that date. After all, the protection of personal data will remain a permanent point for attention from 25 May onwards.
Eubelius has identified five GDPR obligations which each company needs to have implemented before 25 May 2018:
1. Register of processing activities
Each data controller or processor must keep a record of its processing activities in a register. The Data Protection Authority can always request access to this register. You are therefore best advised to have a draft version of this register available by 25 May.
2. Consent
There are various legal grounds for processing personal data, including consent. The only legal ground for some kinds of processing (e.g. direct marketing) will often be consent. The GDPR imposes stricter conditions on the granting of consent: From now on, consent must be given unambiguously, e.g. by ticking a permission box or another explicit action. Implicit consent is therefore definitely a thing of the past. You must also be able to prove that a person has given consent, and you must therefore keep an accurate record of that consent.
3. Privacy policies
Every time your company processes personal data of natural persons (e.g. when customers and prospects subscribe to newsletters; when you process employee data, etc.) the GDPR imposes an extensive information obligation. The ideal way of complying with this obligation is via a sound privacy statement on your website, a staff policy, etc.
4. Processing agreements
You need to conclude an agreement with service providers who process personal data on your company's behalf; this agreement must include a number of mandatory clauses. Determining those service providers, and assessing whether all the agreements contain the correct clauses, is an important and extensive task.
5. Point of contact for data protection
The GDPR has led to the creation of a new position: the data protection officer. However, not every company is obliged to have such an officer. Still, it is appropriate to have a point of contact within the company as of 25 May 2018 to respond to any questions/requests regarding the processing of personal data.
Please feel free to contact Pieter Callens or Anneleen Van de Meulebroucke if you have any further questions or would like to receive advice on the GDPR.