On September 16, 2016, the Belgian Data Protection Authority (the “Privacy Commission”) published a 13-step guidance document (in French and Dutch) to help organizations prepare for the EU General Data Protection Regulation (“GDPR”).
The 13 steps recommended by the Privacy Commission are summarized below.
- Awareness. Inform key persons and decision makers about the upcoming changes in order to assess the consequences of the GDPR on the company or organization.
- Internal Records. Document what personal data is stored, where it came from and with whom it is shared. Record data processing activities and consider undertaking an information audit.
- Privacy Notice. Review existing privacy notices and update them to comply with the GDPR.
- Individuals’ Rights. Review current procedures to comply with individuals’ rights, including any procedures to delete or transfer personal data electronically.
- Access Requests. Update existing procedures to address access requests and plan how individuals’ access requests will be handled within the new time limits imposed by the GDPR.
- Legal Basis. Document data processing activities and identify the appropriate legal basis to carry out each type of data processing activity.
- Consent. Review how consent is sought, collected and recorded, and ensure that procedures comply with the new requirements of the GDPR.
- Children’s Personal Data. Develop mechanisms to verify the ages of individuals and gather parental or legal guardian consent for processing activities that involve children’s data.
- Data Breach. Ensure appropriate procedures are in place to detect, investigate and report data breaches.
- Data Protection by Design and Data Protection Impact Assessments. Become familiar with the concepts of Data Protection by Design and Data Protection Impact Assessment, and determine how to implement them within the organization.
- Data Protection Officer. Appoint a Data Protection Officer (“DPO”), if required, or someone to take responsibility for data protection compliance. Review the position within the organization’s structure and governance arrangements.
- International. Determine which data protection supervisory authority will be responsible for supervising your organization’s compliance with the GDPR.
- Existing Contracts. Review existing contracts, in particular with data processors, and make the necessary changes to comply with the GDPR.
In addition, the Privacy Commission also published a thematic dossier on the GDPR (in French and in Dutch), split into three categories: (1) for data controllers, (2) for data processors, and (3) for individuals (to be published soon). For each category, the Privacy Commission offers a detailed overview of the GDPR’s fundamental principles and main concepts, including sanctions, scope of application, individuals’ rights, one-stop-shop mechanism, data transfers, accountability, appointment of a DPO, data security and data breach notifications. In addition, the thematic dossier will also include a FAQ section that collates the most frequently asked questions submitted by individuals and stakeholders via an online form.