share this story via
Friede Coudron completed a thorough GDPR training course and was awarded the Certificate of Data Protection Officer (DPO) by the Data Protection Institute. She advises and trains customers in her capacity as DPO. She is currently working with a team to ensure that Titeca Accountancy also meets the GDPR legislation by 25 May 2018.
Friede is well aware of this: "Not a single businessman was waiting for this legislation. Adapting your company to the GDPR legislation requires additional efforts and investments from all organisations and businesses in the EU. So it is a subject people tend to avoid!"
Beware! Get started
Friede does not mince her words and immediately clears up a major misunderstanding.
"Don't be mistaken, the GDPR has actually been in effect since late April 2016. This means that entrepreneurs have had sufficient time to prepare themselves. Although this regulation is already binding, people are only starting to become aware of its existence now.
Insufficient time? Entrepreneurs will be no longer be able to come up with excuses as from 25 May 2018, when the inspections on compliance with the GDPR will start.
"GDPR is essentially a very drastic new way of doing business. So we all have to go back to school."
What does GDPR stand for?
The GDPR (General Data Protection Regulation) concerns the management and protection of personal data of citizens in EU member states.
As from 25 May 2018, organisations/companies need to be able to demonstrate what personal data they collect, how they use these data, how long they store these data, who has access to which data within the company and how they protect these data, for example in their own data centres or in the cloud or on a server located inside or outside the EU. If you are unable to do so, you can be sanctioned for non-compliance with this regulation.
What is exactly the difference with the currently applicable legislation?
Friede answers resolutely: "The sanctions; very heavy sanctions of up to 4% of your annual turnover! I nevertheless believe that the administrative sanctions will be the highest.
A company that fails to comply with the GDPR can for example be shut down by the Privacy Commission for 4 weeks until the company complies with the GDPR.
Please note that all organisations and businesses within the EU fall under the GDPR as soon as they collect personal data in a systematic manner, even if limited to putting folders in a file cabinet."
"It is a misconception that GDPR is all about privacy. The GDPR is essentially a regulation on data processing. This obviously has an impact on privacy. Privacy and data processing are inextricably linked to each other.
"Personal information can be very diverse. Examples include customer data in customer databases, supplier data in your online accounting package, employee data in your wage administration ... It really goes very far."
The GDPR legislation, a household name
Other major elements within GDPR are the concepts of 'controller' and 'processor'.
The controller is the client while the processor is the person performing the service on behalf of the controller. “In short: If you intend to work together with a person who gains access to the personal details of your company, you should have this person sign a processing agreement.
The controller and the processor are jointly and severally liable for violations concerning the processing of personal details even though the controller always bears the final responsibility. It is therefore important that a processor agreement is drawn up which defines good mutual arrangements regarding the responsibility for violations."
The 7 GDPR Commandments
The 7 principles of the GDPR are the following:
1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
5. Storage limitation
6. Integrity and confidentiality
"This obviously doesn't say anything to entrepreneurs", Friede points out.
"It comes down to this: You need to indicate that you process personal data with a specific goal in mind, that the personal data are correct, that you have sufficiently informed your customers and that you are transparent in the data you process.
You also need to demonstrate that these personal data are only stored as long as necessary. In your capacity as a processor, you are responsible for any failure to do all this.
You furthermore need to indicate that you ensure an appropriate level of protection and that you only process personal data strictly required to achieve your company goals.
This implies a number of specific rights, such as the rights of information, access to and rectification of personal data etc. That's quite a job. It is no easy task to guarantee all of these rights within your company.
Many companies require an entire internal or external DP (Data Protection) team to become GDPR-proof"
What do you have to do as an entrepreneur to comply with GDPR?
Friede explains: "The internal register seems like the most important element to me.
This is a document based on the seven principles that gives a clear indication of the personal data processed within your company, the persons these data are shared with and the manner in which these data are protected throughout these processes.
For example, many companies make use of the American online e-mail system MailChimp. However, this software package does not comply with the European GDPR legislation. You then need to indicate that you are aware of this, how you assess the risks of data leaks and what solutions you are going to provide in case of problems.
So the internal register is intended to describe the entire operation of your company and contracts with third parties, e.g. in the field of human resources management, supplier management, accounting and customer management.”
Practical tips? "Yes, of course!" says Friede. "Start with yourself; lock your screen and put away your documents when you leave your desk."
No reason to panic
"It is correct that the GDPR legislation assumes that companies are very well acquainted with the GDPR", states Friede. "That is exactly where the problem lies, and time waits for no one.
Companies do not have to be entirely GDPR-proof by 25 May 2018, but it is worthwhile to get started without delay!"
"Adjust your contracts. Draw up an internal register, describe your processes and make sure to write down procedures. How will you respond to a data leak? ...
If you have a small company, this will not take too much time and effort. However, it may involve a substantial amount of work in case of large companies. Be sure to show your good will. If you do, the Privacy Commission will probably be (more) positively inclined to your company during an inspection."
Titeca Accountancy eliminates your GDPR worries:
Do you experience a lot of GDPR stress in your capacity as an entrepreneur? Then contact Friede at firstname.lastname@example.org.
Friede draws up GDPR recommendations that are tailored to your situation as much as possible. She drops by for an internal training course and offers you comprehensive no-nonsense advice.
Friede has one final bit of advice: "Don't panic, just get started!"