But correctly handling the privacy of your data subjects requires constant effort, and at times presents a major challenge. So we zoomed into a few of these hurdles, and checked out best practices. We brought you an example of an internal privacy statement, had a look at the importance of data classification, and learned about the ins and outs of a suitable training and awareness programme. To top off the event, we heard from our new Data Protection Authority about its plans in the months to come.
Presentations are available to Beltug members (after log-in):
New Beltug tool: internal privacy statement for employees template
Our first speaker was Bavo Van den Heuvel, Director of Product Innovation at Cranium. The GDPR, he explained, is about the processing of personal data. Most companies do have such personal data in their hands: in their CRM (whether they are B2B, B2C, B2G, etc.), in their core applications, and also in their own HR systems.
Bavo presented an example of an internal privacy statement, co-created by Beltug and Cranium, which focusses on this HR data. The template aims to help employees understand what personal data the employer collects on them, why it is collected and what is done with it. The scope comprises employees in general, including temporary employees, job students, trainees, freelancers and contractors. (While job applicants are out of scope of this document, it is still important to have a policy in place for them as well.)
By using the document, the employer company ensures the employee can
Much of the data processing is related to payroll and personnel administration, so Bavo discussed the angles in that area, the types of personal data, the purpose and the legal basis (Slide 7).
Other ways of processing the data of your data subjects include:
So how can employee data be shared?
And don't forget about other elements such as the retention period, security and more (slide 12).
Bavo also provided a clear overview of how to use the template (Slide 13).
Data classification in a world of data protection, security, data management & analytics
Our next speaker was Christoph Balduck, Managing Partner at Data Trust Associates, who spoke about the continued importance of data classification, especially from a privacy angle. (Slide 11)
When having a look at a company's GDPR journey, often one of the most challenging aspects is the classification of data. Without classification, it's harder to determine risks. You might over-secure or under-secure, for example. Data classification makes us 'consciously incompetent', rather than 'unconsciously incompetent'.
Data classification is legally required and is part of the standards or norms we want to use. It also determines where we store and process data and who is allowed to obtain or consume it. Data classification also helps us to determine ownership and responsibilities regarding the company's data (data governance).
In brief: not classifying data is not an option!
Usually you start by defining your classification, Christoph continued. Then you determine the technical and organisational measures, and define/discover your data and label the discovered data and data assets. Afterwards you classify your data, determine gaps and prioritise the encryption of your data. (Slide 15)
Christophe provided a few examples of possible data protection and security classifications (slides 17-22). Keep in mind, though, that classification should be done within its context. Different classifications can apply to the same data subject in different contexts.
Data privacy – Is your organisation aware?
How aware is your organisation? That was the question, Koen De Maere, researcher digital strategy and governance at University of Antwerp, Antwerp Management School, and Information Manager at BASF, threw into the group at the start of his talk.
And a key question in measuring and increasing awareness is: "Would our behaviour be similar if we were more aware?"
It all comes down to the privacy paradox: users express concerns about the handling of their personal data, but at the same time, give away this information voluntarily, while rarely making an active effort to protect it.
So, in this context of consumer behaviour, these questions were put on the table within the Beltug Privacy Council:
Koen discussed the recommended duration of a privacy awareness training, for the different profiles within a company (marketing, board, procurement, HR, etc.). (Slide 30) He also covered the recommended scope of such a training/awareness programme for these different profiles. (Slide 31)
Koen then revealed the findings of a study he carried out, together with 16 members of the Beltug Privacy Council, on the recommended methods. (Slide 32)
To complete his talk, Koen went over a few real-life examples, highlighting for each what went wrong. (Slides 34-41). He wrapped up with a warning about the 'knowing-doing gap', when organisations are aware of best practices, competencies, skills, and behaviours needed for success, yet for some reason do not implement and act upon this knowledge.
Online advertising: challenges for DPOs
Bert Verschelde, Data Protection Officer at DPG Media (formerly 'De Persgroep - Medialaan'), went over the concept of online advertising. Advertisers have various options and choices, from direct deals, custom audiences, remarketing (based on your behavioural data) and advertising networks (AdWords, SEM). (Slides 6-11)
The legal framework (slides 13-18) brings a number of challenges to the DPO, first of all in the user interface:
When it comes to programmatic advertising, the industry (through the IAB, the Interactive Advertising Bureau) came up with a response, the IAB Transparency & Consent Framework (slides 24-25), but this approach created its own issues. Now the IAB has developed a more granular approach.
Accountability is a 3rd challenge: how do you prove consent was given?
The new Belgian Data Protection Authority - objectives and roadmap
Our final talk of the day came from the newly appointed president of the Belgian Data Protection Authority. David Stevens, Commissioner at the ADP-GBA, presented his fellow board members, emphasising that they collectively bring plenty of expertise and experience. He gave an overview of the responsibilities of the respective entities of the DPA: the general secretariat, the first line office, the inspection branch, the litigation chamber and the knowledge centre. (Slides 3-8). The DPA is committed to further professionalising these different entities in their tasks, David stated.
Since the GDPR has been in effect, the Belgian DPA has received:
The DPA has the strong ambition to reach out more, to stay close to the ground, and to have constructive conversations with the different stakeholders involved in privacy. Through dialogue and collaboration with other (industry) authorities, the DPA aims to leverage resources and exchange valuable insights. And finally, the authority will strive to grow as an effective, efficient and independent, vigorous regulator.
Soon on the Beltug website, an example of a #PrivacyStatement for internal use - outlining the processing of personal employee data. Bavo Van den Heuvel explains how to use this new paper. #GDPR #Privacy #DataProtection pic.twitter.com/PcMCh7ZyZX— Beltug (@Beltug) June 19, 2019
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login