How does the General Data Protection Regulation (GDPR) impact your organization?
The new General Data Protection Regulation (GDPR) will be in force as from May 25th, 2018. The regulation aims to give back the control over personal data as much as possible to the respective individual.
The GDPR – a game changer
We believe that the GDPR can be considered as a “game changer” because (a.o.):
- The GDPR is applicable to all organizations registered in the European Economic Area (EEA) and to all non-EEA organizations that are offering goods and services in the European Economic Area. Taking into account that for example also contact data of customers and suppliers are considered as personal data, (almost) all organizations with business activities in the European Union have to comply with the GDPR;
- The new European regulation reverses the burden of proof. It is up to your company itself to proof to the national data protection authorities (e.g. Privacy Commission in Belgium) – better known as “Data Protection Authority” or “DPA” – that you are compliant with the regulation;
- The GDPR will be enforceable because:
- The new regulation foresees an audit right for the national DPA;
- Companies have an accountability duty towards the DPA;
- Worst case fines can be issued (depending on the type of breach) up to 2% of the consoli-dated revenue (or 10 mio EUR) or up to 4% of the consolidated revenue (or 20 mio EUR).
How hot the soup will be served in the end, will largely depend on the resources and the mandate the national data protection authorities will get.
Pragmatic GDPR strategy
Pragmatism is “the” key word for horsum when it comes to developing a GDPR strategy. A clear strategy is essential because (a.o.) the Privacy Commission recommends to each organization subject to this regulation, to set up and maintain an internal (data) register that keeps track of every type of personal data processing [1].
The actual impact of the regulation on your organization depends on the nature and the size of your business activities. For example, B2B companies will generally be less affected compared to B2C companies. Nevertheless the key message is that, irrespectively of which type of company you are, you will have to take the necessary actions by May 25th, 2018.
Even though this regulation will be enforced within less than one year, a recent study of the insurance broker Vanbreda[1] shows us that an alarming 76% of Belgian companies are not yet actively preparing to cope with the new European Data Protection Regulation. Some companies intentionally wait and see, while other companies are not yet well-informed about the content and/or impact of the new regulation.
horsum as your guide
horsum will therefore inform you and your organization, during the next weeks, about the potential impact of the GDPR on your organization and its business activities.
But… before we present the practical consequences of the GDPR, it is important to first get a good understanding of the most important concepts defined in the GDPR.
We are happy to explain you these key words and concepts in our blog article wherein we illustrate these key words with clear examples.
If you would have any additional questions regarding this article or on any other GDPR related matters, please do not hesitate to contact us for more information.
Frederik Vervoort (Certificated Data Protection Officer) – July 6th, 2017