Privacy legislation: Are you GDPR-compliant?

The European privacy regulation (GDPR) sets out a range of new measures applicable to the processing, management and retention of personal data. From 25 May 2018, every Belgian business that gathers data from EU citizens must be compliant with this new privacy legislation. Businesses are independently responsible for compliance with the privacy legislation and must be able to demonstrate their compliance.


General Data Protection Regulation

There has been a privacy directive in place since 1995, which has been transposed into national law by all member states. That directive stipulates how and when businesses must gather, process and share personal data. Today, those rules no longer reflect our economic and technological reality (i.e. the digital revolution, internet, cloud computing and so on).

The General Data Protection Regulation (GDPR) is a response to our daily, Internet world. The regulation entered into force on 24 May 2016, but businesses have until 25 May 2018 to adjust to the new rules. The rules apply throughout the European Union, without the need for national implementing laws (except for a few provisions).

This regulation does not apply to the processing of data on legal entities. The protection afforded by this regulation relates only to individuals - irrespective of their nationality or place of residence - and the processing of their personal data.


Citizens’ rights

The protection of (private) individuals when processing personal data is a fundamental right. Research by the European Commission has found that Internet users are concerned about how their personal data are used online. The new regulation gives citizens greater control in the following ways:
  • Easier access to their own personal data.
  • The right to data portability. This is an improved form of access whereby the data subject has the right to obtain personal data in a structured, widely-used and electronic form.
  • Confirmation of the right to the erasure of data or the right to be forgotten.
  • The right to be informed if a database containing your data is hacked (“data breaches”, see below).


Obligations of businesses

From 25 May 2018 onwards, some controllers and/or processors (e.g. banks and insurers) are required to appoint a Data Protection Officer (DPO). However, even those businesses to which this requirement does not apply would be well advised to appointment such an officer, who can be a vital part of your organisation’s data protection policy.

The GDPR also requires internal documentation to be maintained regarding processing activities (risk analysis). The Privacy Commission has already published a recommendation on records of processing activities. To take account of the specific situation of SMEs and micro-enterprises, organisations with fewer than 250 employees are subject to different rules with regard to maintaining these records.

In preparation for the new rules, you may be interested to know that the Privacy Commission has devised a checklist for businesses ( The thirteen steps to be completed are:

1. Awareness: inform employees about the impending changes.
2. Record of data held: identify which personal data are held, where they come from and with whom they are shared.
3. Communication: are personal data already processed? If so, you must provide the data subject with certain information, such as the processor’s identity and the manner in which it will use the data. Usually, the information is provided in the form of a privacy statement. New information types must be added to this privacy statement.
4. Rights of the data subject:...these are the same rights as under the current Belgian Privacy Act, with a few improvements. Among other things, the GDPR provides for information and access to personal data; correction and deletion of the data; objections to direct marketing practices; objections to automated decision-making and profiling and portability of the data. The right to data portability is new.
5. Request for access: in most cases, requests for access must be granted free of charge and within 30 days (instead of the current period of 45 days).
6. Legal basis for processing personal data:...this is virtually the same in the GDPR as in the current Privacy Act. Check how data are processed, ascertain the legal basis and document this in light of the accountability requirement.
7. Consent: the GDPR refers to “consent” and “explicit consent”. The distinction is not particularly clear. Consent cannot be assumed from silence, a pre-ticked box or inactivity.
8. Children: if your business collects data from children aged under 16, a parent or guardian must give consent in order for the data to be lawfully processed.
9. Data breaches: data breaches that are likely to cause any kind of damage to the data subject, e.g. due to identity theft or the breach of a duty of confidentiality, must, in principle, be reported to the Privacy Commission within 72 hours. The data subject must also be informed.
10. Privacy by design and privacy impact assessment: the GDPR makes this a clear, legal requirement. An impact assessment is only required in high-risk situations, e.g. when a new technology is implemented.
11. Data Protection Officer: see above.
12. International: any business that operates internationally must ascertain the regulatory authority to which it is subject.
13. Contracts: assess existing contracts, primarily those with processors and subcontractors, and make any necessary changes promptly.


More stringent checks

Failure to comply with the current privacy legislation goes virtually unpunished, because the Privacy Commission cannot impose any fines. However, any business that is not GDPR-compliant can expect more stringent checks, as the Privacy Commission will be getting powers of investigation and prosecution. Violations will incur administrative fines of up to EUR 20,000,000 or, for a business, up to 4% of total, global annual turnover in the previous financial year, if higher!

See also

Copyright Wolters Kluwer