Tips to make your organisation GDPR-proof before this regulation comes into force: Part 2

In the previous part we gave you the first 5 tips to make your organisation GDPR-proof before this regulation comes into force. Here are the last 5.

Tip 6: Check whether you process data or have it processed outside the EU!

If you process data or have it processed outside the EU (e.g. if you use a backup server in the US) a number of extra obligations apply.
    
Within the EU there is free movement of personal data because every member state guarantees the same rights for data subjects. In case of transfer to non EU-countries this only applies provided that an appropriate level of protection can be guaranteed. This means there need to be guarantees that the data subject has equal rights as in the place of processing within the EU.

Therefore, find out if you are transferring data to companies outside the EU. Transfer can be both direct, e.g. the headquarters of your company is located outside the EU and all data of the subsidiaries is automatically sent there, and indirect, e.g. you use a cloud provider and did not choose storage in a particular region which means your data is probably also stored somewhere outside the EU.

Do you effectively transfer data outside the EU? If so you need to find out whether this destination offers sufficient guarantees for the data subject's privacy. If this is not the case appropriate agreements need to be reached first with the company in question before the transaction of data is possible.

More details about the specific procedures & ways that these guarantees need to be guaranteed are available on the website of the Privacy Commission.

Tip 7: Get to work on "privacy by design" and "privacy by default"!

"Privacy by design" and "privacy by default" are undoubtedly the GDPR's most eye-catching buzzwords. But what do they actually mean?

Privacy by design

"Privacy by design" means that already in the development phase of new products and services it is considered how the protection of personal data can be guaranteed as well as possible. The basic principle in this has to be data minimisation.

During the development process you need to ask the following questions: Do I really need these personal data for my product or service? If so, how can I protect this data as adequately as possible? Can I increase the protection by only processing the personal data for a limited period?

Privacy by default

"Privacy by default" is part of "privacy by design". The default settings of a product or service must always be set in a way that offer maximum protection for the privacy of the data subjects.

Example

This is best illustrated with e.g. the settings of a profile on a social network. The default option may never be that the data are public by definition. And vice versa, they need to be set so that the profile is protected as well as possible. Only if the data subject unambiguously agrees can the profile be made public.

Implementation

How do you implement this in your company? Just as with the general privacy policy, everything depends on how aware your employees are of these concepts.
 
Try to list a number of rules of thumb and present them in a diagram or flow chart. Make sure this is available in every department responsible for the development of new products, services and/or internal procedures in which personal data are processed.

If the development of products and services is based on project management, privacy by design/default can also be incorporated in the project flow. In the same way that you check whether the project is feasible financially, does not result in legal obstacles or is at odds with the health and safety policy, you can make a privacy evaluation at the start of every project.

Tip 8: Check your agreements with suppliers!

Undoubtedly you work with a number of fixed suppliers and subcontractors whose services you use. It is important that you find out to what extent personal data is processed in this co-operation. Do you act as data controller and is the supplier a processor? If so you need to reach a so-called processing agreement with this supplier.

Bigger companies can't really afford to not comply with the GDPR obligations and will probably also take the necessary measures themselves. If you work with smaller suppliers or subcontractors the risks are greater. In this case it is best to take the necessary initiative yourself.

If you need a processing agreement model form, check the new addendum of your registrar agreement with DNS Belgium.

Tip 9: Prepare for a data leak!

First the bad news. The chances you will be confronted with a data leak in your company are much greater than the chances this will never happen. If a data leak is the result of too lax an attitude or the careless handling of personal data the consequences can be pretty bad.

Unlike individual complaints of data subjects, this often concerns involuntary exposure of a large number of personal data. The damage for the data subjects is therefore much greater too here. Expectations are that the DPAs will have to be very alert to this.

Therefore, make sure an "emergency plan" relating to data leaks is in place. This emergency plan is both preventive and curative and its purpose is that your employees know what to do in the event of a data leak.

Unlike the privacy by design/default rules the rules regarding data leaks not only apply to the data controller but also the processor.

Companies who pay sufficient attention to the concepts of privacy by design/default, will automatically already pursue a preventive policy relating to data leaks. In addition to this it is also important to know what to do when an incident occurs.

Also take into account that the concept of a data leak is defined very strictly. Sending an e-mail to the wrong respondent or losing a USB stick with personal data, are already enough to speak of a data leak.

What should you do in the event of a data leak?

Fortunately, you don't need to take a whole series of measures for every incident. Only when the breach implies a (high) risk for the rights and freedoms of natural persons does a certain pattern have to be followed.

This pattern comprises the following:

  • Notification of the data leak within 72 hours after detection.
  • Notification to the Privacy commission in case of risks for the natural persons in question.
  • Notification to the data subjects when there is a high risk relating to their privacy rights and freedoms.
  • Description of the nature of the breach and the category of personal data that were leaked.
  • Contact details of the data controller/processor (e.g. details of the DPO);
  • What are the consequences or expected consequences of the data leak?
  • The taken or proposed measures to avoid new breaches and/or to limit the consequences of the breach.

Tip 10: Take into account the rights of the data subjects!

The natural persons whose data you collect have a number of fundamental rights which they are able to invoke more easily in the context of the GDPR than before.

Many of these rights already exist under the current legislation but until recently were treated in a stepmotherly fashion. The GDPR will tip this balance solidly in favour of the data subject whose data are processed.

Or to put it succinctly: the data you collect do not become "your" property but always stay under the control of the data subject. He/she determines whether you are still allowed to use the data, he/she has a right of inspection and rectification, can ask you to delete this data, etc.

Make sure you are prepared to react to specific requests of the people whose data you process. The chances that your national DPA will launch an investigation following your processing operations is very slim. Such investigation is far more likely to be the result of a specific complaint to the DPA of someone whose data you are processing. Imagine that someone asks you to notify the data you processed of this person and you neglect to comply with this request. Chances are that this person will not accept it and reports this to your national DPA. They can then launch an investigation.

What are the fundamental rights you need to take into account?

The main rights are the following:

  • Right of inspection and notification: the data subject may always ask you which of his/hers data you have processed, with which purposes, how long this data will be kept, to whom this data will be sent, etc.
  • Right to rectification: the data subject may always ask you to rectify incomplete or incorrect data.
  • Right to be forgotten: the data subject may ask you to delete his/her data if they are no longer necessary for the purposes of the processing. This also applies when the data subject withdraws his/her consent for the processing or when the data were unlawfully obtained.
  • Right to portability of data: under certain circumstances the data subject is entitled to obtain his/her personal data in a form that allows them to be transferred to another data controller.
  • Right to opt out: the data subject can choose to opt out from the use of his/her data for certain purposes, particularly direct marketing.

The data subject can invoke these rights against the data controller but not against the data processor. For more information about the distinction between controller and processor I gladly refer to the previous article of this series.
 

 

registrar

Is the entity that registers a domain name for a company, organization or person. Next to the “resale” of web addresses registrars can also offer hosting services, web design... 

server

A computer program or hardware device that provides services to other computer programs or users.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa.