GDPR its not a one-person job! Takeaways from the X-change of 30 Jan 2019


Nearly one year ago, companies went full throttle on their GDPR projects: yet even now, their goals to comply with the Data Protection Regulation still require constant effort.


In this session, we started with a look at how we can embed that effort in our daily operations.  Next, we zoomed in on a few knotty elements: how Orange handles 'legitimate interest' and an update on the Belgian implementation of the GDPR. Then we rounded out with an update on new privacy tools from Beltug to help our members:

  • determine whether an organisation is a controller or processor
  • evaluate processors.


The presentations from the event are available for Beltug members (after log-in):


Case: The never-ending journey to GDPR compliance - a matter of constant monitoring


David Stevens, Data Protection Officer, Europe at Nielsen got things rolling by talking about the continuous effort to embed GDPR in a company's organisation.  He showed us an overview of what he visualises as the 'virtuous circle of GDPR compliance' (see slide 5) - with 'governance' firmly on the top.


Next, he discussed how the GDPR addresses risks (see slide 9). GDPR covers three types of risks – low, normal and high:


  • Risks of varying likelihood and severity
  • Processing likely to result in high-risk to rights and freedoms
  • Processing unlikely to result in risks to the rights and freedoms


David zoomed in on how the regulation defines these various types of risks and the criteria for impact assessments (see slides 11-15).


What then is the role of the DPO in all of this?  DPOs are independent of the company they work for, making them your best expert on risks & GDPR. They are also capable of taking into account regulator’s enforcement priorities.


To conclude, David looked at the tools that can ensure compliance in an organisation (Nielsen uses Onetrust, Dataguidance and Alation, he revealed).  Some tools on the market can be handy and efficient, but keep in mind that commercial tools aren’t a requirement to keep companies GDPR-compliant.  They can make your life easier, but they don't help you understand the DNA of the GDPR; they don't tell you what you need to do and why.


David then gave us an overview of privacy vendors on the market and what they can do (see final slide).


To conclude, David shared his key messages:


  • GDPR compliance is a journey
  • GDPR refers to different levels of risk
  • Risks are not related to data protection only
  • There is limited guidance on scaling severity & likelihood
  • CNIL offers the most interesting guidelines
  • DPO has a crucial role in assessing risks
  • An all-encompassing tool does not exist and may not even be possible.


Case: 'Legitimate interests' - from vague to lawful


Our second speaker of the day, Jan Leonard, Data Protection Officer at Orange, shone a light on the concept of 'legitimate interest'.  It’s a balancing act between the legitimate interest of the controller versus the interest or fundamental rights and freedom of the data subject. So what do we need to know to create this balance?


  • The legitimate interest of the controller or a third party
  • The interest of the data subject
  • The impact on fundamental rights and freedom of the data subject
  • The provisional balance
  • Additional safeguards


(See slides 5-7).


In any case, this assessment needs to be based on the accountability of the controller: companies must be transparent about their data processing and it needs to be clear who is responsible and accountable for a specific processing in the organisation.


Keep in mind that this assessment plus the DPO-role is not a one-person job: finding solutions that suit all parties and are within the boundaries of the law is a team effort.


Jan concluded with this advice: make sure you approach the assessment in a structured way and link it with your efforts on DPIA and risk management - don't start your work from scratch.


The ‘ins and outs’ of the Belgian implementation of the GDPR


The General Data Protection Regulation (GDPR) is an EU regulation, so how does it translate into Belgian law?  Edward Taelman, Senior Associate at Allen & Overy, shared his expertise with us on this aspect. Firstly, we learned how the BDPA (Belgian Data Protection Act) differs from the GDPR, and the scope of the BDPA, both territorial and personal (see slides 6-7). One important difference is the minimum age of consent: in the BDPA the minimum age is 13 years, compared to the recommended minimum age of 16 recommended by the GDPR.


There are also differences regarding sensitive data (genetic/biometric data, gender, religion, etc.): Belgium sets out a list of 'reasons of substantial public interest', including:


  • processing by human rights organisations
  • processing by Child Focus.


Sanctions in the Belgian law are mostly identical to the GDPR, with 2 major differences:


  • public authorities are exempted from administrative fines
  • criminal sanctions.


The investigative powers of the DPA have been increased quite a lot compared to the former Privacy Commission, extending its role considerably, including the chronology of actions (see slides 15-17).  At the conclusion of an investigation, the DPA drafts a report, with a few possible outcomes:


  • Transfer the matter to the dispute chamber of the DPA (risk of potential fines!)
  • Transfer the matter to a DPA of another EU country
  • Transfer the matter to a prosecutor
  • Do not pursue the matter.


Keep in mind, though, that this is all in theory! With an ad interim management in place at the moment, the DPA is not currently taking any big steps or big decisions.


Data controller or data processor? It’s not always straightforward


Jean-Pierre Bernaerts, External DPO & Data Protection Advisor at DPOffice, then gave us a look at a few recent tools that he recently developed for Beltug.  He started with the checklist for companies to define whether a company is (typically) a controller, a processor or a joint-controller. 36 types of businesses and 36 sectors are listed: stipulating whether this type of company is typically a controller or a processor, according to the GDPR.  For each type, legal provisions and a comment or motivation are included.


The list will be modified based on changes in the market, including adding sectors when necessary. The checklist will be published on the Beltug website soon.


Next, Jean-Pierre showed us the General GDPR questionnaire for provider 'quick scan now available on the website, with all the other GDPR tools. It provides a basic list of 13 simple questions, in 3 subcategories:


  • The Basics / General
  • Assisting the controller
  • (Sub)Processors


Beltug & Privacy


To round out the event, Danielle Jacobs, General Manager at Beltug, listed what we will be doing to continue supporting our members in their efforts to respect privacy of their data subjects.












Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview