On May 4, 2016, the EU General Data Protection Regulation was published in the Official Journal of the European Union and will enter into force on May 25, 2018. The GDPR will replace the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world, whilst harmonizing the legislation for the processing of personal data across the entire EU. This will have a large impact on the private ànd public sector in terms of the handling of personal data.

Let’s take a closer look at a number of high impact changes and new obligations of the GDPR:

One of the most impactful new additions – for data processors - is the responsibility that falls both upon the data controller and the data processor: the implementation of organizational and technical measures in order to protect the processed personal data. 

Under the Directive of 1995, this was entirely the responsibility of the data controller, but now the data processor will also need to implement safeguards in order to be compliant with the GDPR.

Things to think about:

• Data processors will need to assess whether the existing measures are sufficient in terms of the purpose and extent of processing, the amount of data collected, the period of data storage, and the accessibility of the data. (Privacy by Default)
• A processing agreement will remain the basis for establishing the purpose and extent of the data processing activities between the data controller and processor, where the explicit identification of security measures is possible (and desirable).
  

Data breaches should be reported to the supervisory authority (in Belgium this is the Commission for the Protection of Privacy, CPP) within 72 hours after becoming aware of the breach. 

Reporting on personal data breaches will depend on a number of things:

1. Does the organization know where all its personal data is located? Where the organization is vulnerable to a breach of personal data?
2. Does the organization have the capabilities of detecting when a breach has occurred? Do you know if you have been breached?
   
3. Do you have the necessary processes and procedures in place to swiftly respond to the data breach? How much time does it take to deal with such a breach? Will 72 hours be enough?
   

Things to think about:

• Responding to data breaches will require a well thought-through flow of actions from a range of different people. Reporting will be one of those actions. Defining the actions and testing (dry-run) them in advance will only improve the response time once confronted with an actual data breach.
  
• Data breaches, no matter which size or impact, will need to be logged and documented in order to retroactively demonstrate compliance to the GDPR.

The published text states that each data controller or processor who processes personal data “at large scale”, regardless whether the personal data is sensitive or not, needs to appoint a Data Protection Officer (DPO).

This role can be filled in by an internal employee or an external contractor as long as the individual is appointed based on their professional qualities and expert knowledge of the data protection legislation and practices. How this expert knowledge should be interpreted is not yet clearly defined.

Things to think about:

• The DPO will fill an independent position with a lot of (possible) influence on the business. It’s important that assigning this position is not taken lightly. The DPO should understand the company’s business as well as have expert knowledge on the data privacy requirements and regulations, in order to provide adequate advise to the organization and correctly represent the company 

With the adoption of the GDPR, administrative fines can be imposed for non-compliance with the regulation. 

• Non-compliance with the obligations as a data controller or a data processor could result in a fine of up to 10M EUR or 2% of the annual global turnover (whichever is higher). 
  
• Non-compliance with the basic principles for processing, the data subject’s (client) rights or the approved data transfer mechanisms, could result in a fine of up to 20M EUR or 4% of annual global turnover (whichever is higher).
  

Things to think about:

• Fines will be imposed in case of non-compliance. Therefore it is important to focus on bringing your organization into compliance with the regulation first.  Second, make sure your organization can prove its compliance through the necessary records (e.g. Privacy Impact Assessments, data breach records, consent, etc.). Belgian companies will have a 2 year timeframe to become compliant with the new regulation by pushing through operational and organizational reforms where necessary.