A new year, and a new topic for our dJtalks contributions! A series of blogs in which we tell you each time a bit more about the infamous GDPR. Because let’s face it: which part of our daily lives is not affected by this privacy regulation in one way or another? And at the same time: does our knowledge reach any further than a vague notion of “consent” and “right of deletion”? Thus, something to keep an eye on. We will build up gradually.
How it all started
Since 25 May 2018, the General Data Protection Regulation (GDPR) is applicable in all member states of the European Union. We will use the English acronym throughout this text.
Before the adoption of the GDPR, there was already a legal framework around data protection, but these rules were too scattered and varied from member state to member state. With the GDPR, the same rules must now be complied with by everyone within the EU who processes personal data.
With this, the GDPR has set a lot in motion. Suddenly there was a great awareness among companies that they had to do everything possible as soon as possible to be in order with all these new obligations and rules established by the GDPR. Of course, they had good reason to do so. After all, they were facing administrative fines of up to 20 million euros or up to 4% of the global annual turnover.
We are still looking for the right way
The first wave of efforts, however, was rather formalistic. Partly due to unclarities in the interpretation, and reinforced by opportunism inside and outside the company, policy documents, registers and forms were raked together en masse. This, however, was not counting on the supervisors, who often in an activist manner, spurred on by a loud privacy lobby, started demolishing the paper wall and kicked us all into a privacy conscience.
So although the GDPR’s entry into force is now over 2.5 years behind us, there is clearly a second wave, with all of us facing the challenge of actually taking individuals’ privacy expectations to heart, whether spurred on by action groups and harsh condemnations from supervisors or not.
What can you expect
But how do you do that, correctly apply the basic principles of the GDPR? How do you embrace respect for privacy in your daily actions?
These basic principles are certainly not yet sufficiently familiar territory. In order to avoid stepping into quicksand, it is therefore important to first explain the key concepts and most important principles. When are we talking about a controller, and what is a processor? And what are personal data and sensitive data? These are core concepts that very much determine what we may or may not do. Principles such as determining the privacy impact in advance, and dealing correctly with the rights of the data subject: this involves much more than some paper documentation!
After we have drawn the outlines, in the second part of the blog series we will colour them in using practical examples: how do we deal with a leak of data? And is direct marketing still possible? Let alone that we would have to send data outside of Europe for that, because that is problematic, isn’t it? But can we still use cookies on our website, or are they necessary anyway?
Are you coming with us?
With this blog series, theJurists want to advise your organisation and help it to better understand the nature of the personal data you process. You can then apply this when navigating the legal and regulatory complexities of the GDPR.
If you need more tailored practical solutions, you can always reach us at hallo@dejuristen.be.
Written by Larissa De Keyser, Trainee deJuristen, and Kris Seyen, Partner deJuristen
