Beltug has developed and published the GDPR Vendor Assessment questionnaire, to help companies discuss compliance with cloud providers, and negotiate certain GDPR-required contract clauses. Under the GDPR, the 'data controller' always remains accountable, so it is up to you to be sure your processor/Cloud Service Provider (CSP) will treat data in a compliant way.
In the first part of this 2-part N-sight, we learned about what this tool includes, how it was developed, and how to use it. We also looked into what companies will need to do to monitor and maintain compliance after the GDPR is implemented. And we discovered how multinational company Engie Benelux is incorporating data protection into processes throughout the company.
Presentations from the event are available exclusively for Beltug members (after login):
"The law doesn't oblige you to be fully compliant", a bold statement to start the session. After walking us through a few necessary steps on the current road towards compliance, Bavo Van den Heuvel, Managing Partner and Director of Product Innovation at Cranium, gave a close look at how to maintain that compliance.
Among the key considerations for 'the day after' the GDPR implementation, is your data register. The initial inventory of your data is just the beginning: this register needs to be modified for changing situations, such as mergers and acquisitions, new software used within the company, or new processing operations, to name only a few examples. And should you experience a data breach, make sure to adapt your register if the situation changes.
Your DPIAs must also be kept up-to-date: ensure those documents stay in line with changes in your company. Document the decisions you have made, and those resulting from your Data Protection Impact assessment, in it.
Make sure new processors are reflected: audit existing ones and perform 'due diligence' on new ones. The GDPR Vendor Assessment questionnaire (see below, Jean-Pierre Bernaerts’s presentation) can be of great help in that assessment of your (cloud) providers.
Measuring privacy metrics is a good thing, of course, but make sure it is properly described. The information should be relevant and stable, too. It’s a good idea to have the metrics calculated automatically and review them regularly.
Employee awareness is a major pillar in your GDPR project! Keep track of your actions in this area. Take a look at slide 6 for more actions.
Be ready for all kinds of questions from data subjects or third parties: treat them all equally. But when responding to a question, always ensure you are absolutely certain about the identity of the data subject - otherwise you are part of the data breach! And act in a timely manner when questions are asked.
Last but not least, when your first data breach occurs, there are keep a few important things in mind:
Next up, Peter Van Rompaey, BU Data Privacy Manager at Engie Benelux, shared his experience with GDPR, and how Engie Benelux integrates privacy and the EU regulation in its processes. The Engie group has over 22,000 employees and is responsible for +/- 140 legal entities, in all kinds of domains: operations, nuclear power plants, traditional power plants, etc. A DPO will probably need to be nominated for 30 to 40 of these entities.
With the full support of the Engie management, the GDPR project at Engie started over a year ago. As a complex organisation, Engie faced many challenges:
The final speaker was Jean-Pierre Bernaerts, DPO & Director GDPR Compliance Services at DPOffice, who presented the Beltug Vendor Assessment Questionnaire (available after log-in). He emphasized yet again: you cannot delegate accountability! This was the main driver for building the Beltug Vendor Assessment questionnaire. If a controller does not take this assessment seriously, and appoints an unqualified processor, the controller (and not the processor) will probably be liable if an incident occurs.
All contracts after May 2018 need an addendum on data protection. But don't renegotiate your contracts, Jean-Pierre added, because you might risk renegotiating other articles in it (such as pricing!). Limit the renegotiations to the clause as an addendum.
Following the presentations, a one-hour workshop was arranged. Jean-Pierre Bernaerts and Tim Van Honsté, Large Enterprise account manager at Veritas Technologies, went over the various items in the Beltug Vendor Assessment Questionnaire in detail, and answered participants’ questions. They also repeated that the list was built primarily for working with larger CSPs.
One particularly important section in this list is about the sub-processors. Remember that, even when your processors have multiple levels of sub-processors, you remain, as a controller, accountable all the way down the line. So, it is important to know where your data sits and who is managing/processing it.
All in all it was a lively and interested discussion. We are confident our members will find the Vendor Assessment questionnaire very useful on their path to achieving and maintaining GDPR compliance.