ACA Blog

ACA Blog

September 2019
« Aug    


8 months of GDPR – A status overview

Jean-Pierre BernaertsJean-Pierre Bernaerts

The General Data Protection Regulation (GDPR) was without question one of the biggest stories of 2018. When the GDPR became enforceable in all European Union Member States on the 25th of May, it introduced quite a number of important changes that impacted organizations on processing the personal data of employees, customers, prospects, suppliers and other third parties residing in the EU.

After almost eight months after the GDPR’s effective date, organizations are still working on (or struggling with?) compliance – and will probably continue to do so for a couple of years. But what has happened during these eight months? Remember the message of fear for penalties that was strategically positioned as the major thing by mostly consultants, or the heavy and costly impact that was predicted on businesses and their processes? What about the possible investigations by Data Protection Authorities after one or more data-subject complaints?

This blog post looks into what has really happened and whether it was somewhat in line with the predictions, in general as well as in Belgium. We’ll look at it from the viewpoint of myself working as external DPO (Data Protection Officer) for a number of companies. It’s impossible to discuss all topics that concern the GDPR, so I made a selection and will discuss some major ones. During the next blog posts, I will go into detail on other topics. Today, I’ll share with you what the situation is after 8 months regarding:

The GDPR is a blessing in disguise

Let us start with some good news: the GDPR requires companies to map out their processes involving personal data and define the legal grounds for processing these data, the retention periods, International Data Transfers etc. This exercise is one of the basic activities required in order to carry out the process towards GDPR compliance. During the evaluation(s) of the personal data processing within these different processes, awareness that some personal data might be redundant was growing rapidly.

As it is one of the objectives of the legislation to ensure that organizations only work with data that is strictly necessary for the purpose for which they are collected, it’s one of the (many) good things coming out of the GDPR (it’s not the first time that we say this). It is necessary to look critically at what data is really necessary for a particular purpose. And during the process towards GDPR compliance, all these other questions start popping up: is it necessary that everyone can access all the data? Is a certain processing necessary or can we achieve the goal in another way? Are the personal details of our employees properly protected? In one specific case, I found out that a certain processing activity was completely in violation of the legislation and stopped it immediately. In short, the GDPR makes companies less data-hungry and more aware of the rights of data subjects.

Consent is not the only legal basis for processing

Under the GDPR, the legal basis for processing allows an organization to process personal data for a specific purpose. Unfortunately, the kick-off here has been a bit difficult: the media have focused mainly on ‘consent’ as a legal basis. It was as if personal data could only be processed through consent. This exaggerated and unjustified focus has led to the fact that consent was asked for everything, even where it was not necessary at all.

Consent however is only one of the legal grounds that are possible, such as the processing of personal data on the basis of a legal obligation (e.g. salary processing), or contractual basis (e.g. ordering from online shops is not possible without giving up your address), legitimate interest (e.g. an employer can monitor internet traffic for security reasons). There is still work to be done here: the determination of the legal basis needs to happen more accurately and it certainly does not always have to be consent.

Increased reports of data breaches

What we have all seen happening is the almost exponential growth of the number of data breaches that have come into the news. Whether they are from Facebook, Orange or Marriott, everyone has heard about them and everyone is asking questions on how this is possible.

In recent months, the realization that our personal data is not always safely processed did also see exponential growth. This puts so much pressure on organizations that those who hadn’t done it yet, made data security one of their biggest priorities. Fines are one thing, but loss of reputation is much worse, especially for the longer term. Luckily not all data breaches are of such nature that they have to be discussed in the media. Most are much more limited, have little or no impact on the liberties and rights of those involved and are never known outside the walls of the organization. So what number are we talking about here? I honestly have no idea, but I estimate it must be in the thousands. The important thing here is that companies do something with the lessons learned and that processes, policies and guidelines are improved accordingly.

In Belgium, 317 data breaches were reported to the DPA in the first 6 months of 2018, where there were only 17 for the whole of 2017. We do not know if the DPA has issued any actions against those companies. In contrast to DPAs from Germany, UK or France, the Belgian DPA does not communicate the details of this type of activities. Some personal statistics, then: during the first 8 months my customers experienced

On the basis of this totally unscientifically substantiated list, most data breaches seem to be human errors that could have been prevented. Continuous awareness improvement is a very important factor to counter these errors as well as we can.

No floods of data subject complaints

One of the topics which was discussed and written about in the run-up to the GDPR, were the predictions about the huge amounts of complaints that would be filed to the DPAs. Some studies concluded that up to 30% of the population would file a complaint! But what happened in reality?

In the first 6 months of the GDPR, 148 complaints were filed with the Belgian DPA. In all honesty, I must confess that I was very surprised by the limited number of complaints. Not many details are known about the content of these complaints, but it is much less than I expected and much, much less than the predictions in most presented studies. So, it seems to me that we Belgians only complain when we’re really upset. Personally, me and my customers were confronted with just one complaint (out of the 148) and one ‘conformity assessment’ (out of 137), which brings us seamlessly to the next topic…

The situation in Belgium 🇧🇪

The Belgian Data Protection Authority (DPA) does its job…

Much is said and written about the ‘laxity’, ‘indecision’ or ‘invisibility’ of the Belgian DPA, but this is in my honest opinion heavily exaggerated. The Belgian DPA does not stand out in communication but is certainly doing its job: DPOs speak a lot with each other, either via email or at events, data protection and privacy councils, where complaints, investigations and data breaches are heavily discussed topics.

Many of my peers have already had contacts with the Belgian DPA, many of them have already received letters with a complaint, an obligation for alignment with the GDPR (e.g. website privacy/cookie policies) or just a request for information. Of course, all this communication is kept confidential and is not meant to become public information, but that doesn’t mean that nothing is happening.

And the fines? Indeed, fines have not yet been issued in Belgium (as far as we know), but that is not surprising: both State Secretary Philippe De Backer and the chairman of the Belgian DPA, Willem Debeuckelaere, have always stated that for 2018 Belgium chooses to guide and inform organizations in their journey to compliance and not to issue penalties from day 1 and apparently this statement is kept.

… even though it doesn’t officially exist yet

So, no problems then? No, unfortunately not: the biggest problem in Belgium is the fact that the DPA is still not formally in operation. It’s still the old ‘Privacy Commission’ that we have to deal with. Politicians have still not succeeded in finalizing implementing the transition from Privacy Commission to Data Protection Authority. Needless to say that we are not among the best in the class here… 🐌

The result is that the necessary guidance from the government is as good as non-existent: companies don’t know what to do with their questions, viewpoints are barely taken up and organizations are often clueless when it comes to more complex issues. A good example is that the information on the website on ‘privacy within employer-employee context’ is outdated and is not updated with the new GDPR requirements. This is due to the fact that the current management does not want to take decisions and believes this is to be done by the management of the ‘new’ DPA. But since it’s not in place yet… not much really happens.

Beltug, the largest Belgian association of Digital Technology Leaders, has written a letter about the above to the President of the Belgian Chamber of Representatives Siegfried Bracke, in order to make the appointment of the management of the Belgian DPA a priority. Then it can finally go to work, which is essential for the correct implementation of the GDPR in Belgian organizations.

As always, comments and questions are welcome! The next blog post about GDPR should be published in about 2 weeks time and will deal with what the content of the job of a Data Protection Officer exactly is. Stay tuned for ‘A day in the life of a DPO’!