6 months after the GDPR : are we there yet ?

The panic towards May 25th has gone, business continues as before and a large majority of the Flemish organizations admit they are nowhere with regard to GDPR compliance.

A study of Wolters Kluwer, a major publishing company in Flanders, reveals that 12 % of our companies has done nothing yet, almost half of our organisations does not even have a register of processing activities and 94% admits they are in a responsive mode : they will take action once the requests start to come.

Unfortunately, as our Belgian DPA apparently only exists on paper and most of their members still need to be officially appointed by the Belgian Parliament, and they clearly announce in the public press that they are not ready for issuing controls nor for imposing fines, the pressure for our businesses is not extremely high.

But you shouldn’t comply to GDPR or whatever privacy regulation to avoid fines …
Complying shows respect to your employees, to your customers and to whomever trusts you with their personal data. So the next best time to react is TODAY, as the best time already has expired …

GDPR : Legal or IT stuff

We've assigned our corporate legal department 
to take care of the GDPR

You can't argue that, for sure. The GDPR is a regulation, with 99 articles, together with 173 recitals. So there is no discussion : this is the domain for lawyers and legal counsels.
So it is understandable that companies think of their legal department first to assess the impact of the GDPR on their activities.

And if all goes well, your lawyer will translate the regulation into readable and understandable instructions, and provide you with a prioritised list of topics for your business. He will also interpret certain articles that the European regulator left open for discussion, and, based on his own experience, advise you how to tackle them.

But unfortunately, from that moment on, you will have to take care of things yourself. Indeed, the instructions of your lawyer will need to be implemented into your organisation.
Your staff needs to be trained and the necessary awareness created. Policies and procedures need to be put in place and all processing of personal data must be registered.
You will probably need a number of processing agreements with suppliers with whom you share personal data, you will need templates for consent forms ...
You will need an adequate procedure to respond in case of a data breach and when an individual wants to execute his rights as a data subject, you will have to make sure he gets a proper answer in due time.

And, although your lawyer is certainly a key person in this project, he generally is not the most appropriate party to take care of this practical approach.

On top of that, a very important aspect is the integrity, confidentiality and security aspect of personal data, requested in article 5 of the GDPR. And by extension of all your data.
Indeed, what's the use of having a clear privacy statement on your website, of allowing your contacts their right of erasure, right of rectification, right to object etc...., if you cannot guarantee the security of those data. And also for these aspects of the GDPR, your lawyer or legal counsel will rely on the information security specialists to take care of things.

Precisely in these domains, our proven approach will help you to plan, budget and implement the GDPR in your organisation.

Based on the ISO27001 framework, we have developed a system that gives you a clear view on your current situation. You get an overview of all domains of information security, off course with clear references to the GDPR. It all starts with a number of interviews of key people in your organisation. A list of specific questions gives us a detailed insight on your way of working and potential issues for your information security. The results of those interviews are summarised in a practical dashboard that will be the guideline for future actions and improvements.

Together with your management team, your legal counsel and your IT-staff, we budget, prioritise and plan the necessary actions. We start with the low hanging fruit, so you can immediately show some results and assist you all the way in becoming GDPR compliant.

And if, in a later stage, you want that official ISO27K certification, you are already on the right path…

Contact us via for more information.