Beltug

GDPR compliance: where do we stand? Takeaways from the N-Sight 14/06/2017


With less than a year to go, many companies are well on their way in their GDPR data protection projects, but there are still many hurdles and uncertainties to overcome.

In this session, we took on the optimisation of breach notification processes with SecureLink, while Veritas Technologies shared its internal GDPR project. The Privacy Commission outlined its guidelines, and our members received an update on Beltug’s efforts to help companies with the IT implementation aspects. Plenty of active discussion was sparked, with lots of questions being raised!

 

Presentations from the event are available exclusively for Beltug members (after login):

 

First Simen Van der Perre, Business Developer GDPR at SecureLink gave a quick overview of the 6 core principles of GDPR. GDPR is a legal matter, he stated, yet has a major impact on IT, especially for making and then processing a data inventory.

Simen linked Privacy by Design to SecureLink's end-to-end security model (see slides 17 and 18).  With GDPR, he said, you have to focus on data security, but also on the other aspects: network security, host security, application security. He gave an analogy: just because you have a safe in your house, you don’t leave your front door open.

 

Citing Gartner’s 5 levels of a company’s security maturity (slide 20), Simen described how SecureLink has translated the model to focus on people, processes and technology, and builds the steps based on the maturity of these layers within a company.  While you aren’t required to reach the expert level, you must have good control over your people, processes and technology.

 

Don't forget to assess your GDPR readiness and think about your data inventory – both bottom-up and top-down processes, he emphasised (slide 25 has more detail).  Then you can do a risk analysis and create an action plan. Ask “Where is the data?”, “What is its purpose?”, “Who can access it?”, “What impact would data loss have?”, “What controls are in place?” etc.

 

Next on the agenda was Tamzin Evershed, Legal Director, Global Affairs at Veritas Technologies UK.  You can't achieve GDPR compliance alone, she emphasised from the start; it's all about sharing (with marketing, legal, IT, etc.). GDPR forces you to manage your own data - and that's good! You don't want to pay for storage you're not using, and you want results from the data you collect.

 

Tamzin also warned that the road to compliance will take longer than you ever expected. You first must convince people of the need, to make them aware and get the proper resources. Some things to keep in mind:

Slide 6 gives a handy overview of where to start. On slide 7, she provides some questions to ask to include the Privacy by Design in your solutions. For example, when talking about the 'right to be forgotten' for employees, keep in mind the difference between archiving and data backups! Archive data you will want to refer to, and only keep backups of data for as long as you need them.

 

Caroline De Geest, Spokesperson for the Belgian Privacy Commission, explained what the Privacy Commission is doing and how the regulator can assist in being compliant. While the GDPR might create the (false) impression that data protection requirements are new, companies - if they are in line with the existing laws - should already have a privacy policy in place.  So the Privacy Commission foresees that the impact of GDPR could be minor.

The new regulation has been implemented because existing laws and directives aren’t enough to give individuals a sense of control over their data in today’s digital world. It also gives the administrative authorities the power to sanction, via fines and other actions.

 

Caroline first went over a few major points of attention in the EU regulation.  She started by highlighting that most of the rights of the data subjects already exist in the current directive.  What’s new is the right of data portability, i.e. the right to transfer data.

On the other side, there are the obligations and accountability of the data processor and data controller. The Privacy Commission provides guidance on how to comply with the GDPR - have a look at the 13-step plan they published (in Dutch and French). The WP 29 (assembly of data protection authorities in the EU) is also publishing guidelines, and more are expected by December 2017.

In Belgium, it is important to wait for these clarifications, as our Privacy Commission doesn't want to undermine the harmonisation efforts. But it does take on some Belgium-specific topics on its website, including Data Protection Impact Assessment, the Data Register and Data Protection Officers.

 

Caroline recommended following the Privacy Commission on twitter, where it regularly shares updates (@CBPL_CPVP).

Finally, she also described the now and future roles of the Privacy Commission. The Privacy Commission is currently mainly an advisory body, with few enforcement tools.  But because of the GDPR, it will be reformed, with a new structure to answer concerns and maintain its neutral role (slide 9). In the future, however, the Privacy Commission will be able to give fines. But it does not intend to use these to ‘punish’ small companies that unwittingly miss something: mediation is considered a more appropriate response there.

 

A main takeaway from Caroline's talk: document everything! For example, if you decide you don’t need a DPO, document your reasoning, to demonstrate your intentions and desire to comply.

 

Finally, Danielle Jacobs, General Manager at Beltug and Jean-Pierre Bernaerts, CIO at Indaver presented the tools we offer our Beltug members, with Jean-Pierre specifically explaining the GDPR Vendor Assessment list we are preparing. Other tools include: