Packed with information and vibrant with questions, our mid-September X-change on "GDPR and IT – Your first steps towards compliance" was definitely dynamic!
Co-operation with the Privacy Commission
We were very honoured to welcome Willem Debeuckalaere, president of the Privacy Commission, as a special guest. On 22 September, we met with the Privacy Commission to go over issues and concerns we received from our members regarding the GDPR IT implementation. They are open to working on our questions.
At our X-change, Willem and his colleague Joëlle Jouret, Legal Adviser, underlined that the Privacy Commission is eager to work with companies to solve current ambiguities in the regulation. They presented the document “Prepare yourself in 13 steps” (available in French and Dutch), which can also be found on the Commission’s website (also in Dutch and French)
Privacy by design
Peter Van Dyck, Senior Associate at Allen & Overy, was our expert in the room at the X-change, providing his insight on the most significant points of interest in the GDPR. These included 'privacy by design', which requires new services or business processes that make use of personal data to take the protection of that data into consideration. It's a concept that will require a fundamental shift for many companies, and goes hand-in-hand with 'privacy by default'. Peter’s tip: involve your privacy advisors right from the start in the product development process .
Peter also pointed out several unclear points in the GDPR. For example, one condition that requires you to appoint a DPO (data protection officer) within your company is if your company’s "core activities consist of processing on a large scale special categories of data (sensitive personal data)". But it is not always clear what this means in practice. So what should you take-away, according to Peter? Don't look at the GDPR as an IT project! Awareness about it should become part of your company’s DNA.
Users' views from Indaver
In his presentation, Jean-Pierre Bernaerts, CIO at Indaver, highlighted that, while the GDPR isn’t yet as transparent as traffic regulations, that is the goal we should aim for. Sharing his experiences at Indaver, he emphasized that companies shouldn’t implement GDPR only because of regulations and penalties, but because data protection is important. If you don’t keep this firmly in mind, your implementation will fail. GDPR projects also require leadership and company-wide awareness. Management must define the framework, while the DPO ensures that someone in the company has ownership of the project, policies, guidelines and supervision/verification.
Finally, 'document, document, document' Jean-Pierre reminded us: you'll need to demonstrate to a potential auditor that you don't take data protection lightly!
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login