Nearly one year ago, companies went full throttle on their GDPR projects: yet even now, their goals to comply with the Data Protection Regulation still require constant effort.
In this session, we started with a look at how we can embed that effort in our daily operations. Next, we zoomed in on a few knotty elements: how Orange handles 'legitimate interest' and an update on the Belgian implementation of the GDPR. Then we rounded out with an update on new privacy tools from Beltug to help our members:
The presentations from the event are available for Beltug members (after log-in):
Case: The never-ending journey to GDPR compliance - a matter of constant monitoring
David Stevens, Data Protection Officer, Europe at Nielsen got things rolling by talking about the continuous effort to embed GDPR in a company's organisation. He showed us an overview of what he visualises as the 'virtuous circle of GDPR compliance' (see slide 5) - with 'governance' firmly on the top.
Next, he discussed how the GDPR addresses risks (see slide 9). GDPR covers three types of risks – low, normal and high:
David zoomed in on how the regulation defines these various types of risks and the criteria for impact assessments (see slides 11-15).
What then is the role of the DPO in all of this? DPOs are independent of the company they work for, making them your best expert on risks & GDPR. They are also capable of taking into account regulator’s enforcement priorities.
To conclude, David looked at the tools that can ensure compliance in an organisation (Nielsen uses Onetrust, Dataguidance and Alation, he revealed). Some tools on the market can be handy and efficient, but keep in mind that commercial tools aren’t a requirement to keep companies GDPR-compliant. They can make your life easier, but they don't help you understand the DNA of the GDPR; they don't tell you what you need to do and why.
David then gave us an overview of privacy vendors on the market and what they can do (see final slide).
To conclude, David shared his key messages:
Case: 'Legitimate interests' - from vague to lawful
Our second speaker of the day, Jan Leonard, Data Protection Officer at Orange, shone a light on the concept of 'legitimate interest'. It’s a balancing act between the legitimate interest of the controller versus the interest or fundamental rights and freedom of the data subject. So what do we need to know to create this balance?
(See slides 5-7).
In any case, this assessment needs to be based on the accountability of the controller: companies must be transparent about their data processing and it needs to be clear who is responsible and accountable for a specific processing in the organisation.
Keep in mind that this assessment plus the DPO-role is not a one-person job: finding solutions that suit all parties and are within the boundaries of the law is a team effort.
Jan concluded with this advice: make sure you approach the assessment in a structured way and link it with your efforts on DPIA and risk management - don't start your work from scratch.
The ‘ins and outs’ of the Belgian implementation of the GDPR
The General Data Protection Regulation (GDPR) is an EU regulation, so how does it translate into Belgian law? Edward Taelman, Senior Associate at Allen & Overy, shared his expertise with us on this aspect. Firstly, we learned how the BDPA (Belgian Data Protection Act) differs from the GDPR, and the scope of the BDPA, both territorial and personal (see slides 6-7). One important difference is the minimum age of consent: in the BDPA the minimum age is 13 years, compared to the recommended minimum age of 16 recommended by the GDPR.
There are also differences regarding sensitive data (genetic/biometric data, gender, religion, etc.): Belgium sets out a list of 'reasons of substantial public interest', including:
Sanctions in the Belgian law are mostly identical to the GDPR, with 2 major differences:
The investigative powers of the DPA have been increased quite a lot compared to the former Privacy Commission, extending its role considerably, including the chronology of actions (see slides 15-17). At the conclusion of an investigation, the DPA drafts a report, with a few possible outcomes:
Keep in mind, though, that this is all in theory! With an ad interim management in place at the moment, the DPA is not currently taking any big steps or big decisions.
Data controller or data processor? It’s not always straightforward
Jean-Pierre Bernaerts, External DPO & Data Protection Advisor at DPOffice, then gave us a look at a few recent tools that he recently developed for Beltug. He started with the checklist for companies to define whether a company is (typically) a controller, a processor or a joint-controller. 36 types of businesses and 36 sectors are listed: stipulating whether this type of company is typically a controller or a processor, according to the GDPR. For each type, legal provisions and a comment or motivation are included.
The list will be modified based on changes in the market, including adding sectors when necessary. The checklist will be published on the Beltug website soon.
Next, Jean-Pierre showed us the General GDPR questionnaire for provider 'quick scan now available on the website, with all the other GDPR tools. It provides a basic list of 13 simple questions, in 3 subcategories:
Beltug & Privacy
To round out the event, Danielle Jacobs, General Manager at Beltug, listed what we will be doing to continue supporting our members in their efforts to respect privacy of their data subjects.
Understanding #LegitimateInterest is all about the balance between the interest of the controller vs the fundamental rights of the data subject - Jan Leonard #GDPR #DataProtection #Privacy pic.twitter.com/CDRz0boNSi— Beltug (@Beltug) January 30, 2019
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login