Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap to help companies processing personal data to start preparing themselves.
The Privacy Commission will also create a GDPR-themed section on its website where data controllers and processor can consult additional guidelines, instruments and frequently asked questions.
The 13 steps forming the roadmap for ensuring GDPR compliance by 25 May 2018 are:
1. Raising awareness
Inform key figures and policymakers on upcoming changes. They will have to assess the impact of the GDPR for the organisation.
2. Data mapping
Document which personal data you manage, where it comes from and with whom it has been shared. Map your data processing activities. You may potentially have to organize an information audit.
3. Communication
Evaluate your existing privacy policy and plan necessary changes in view of the GDPR.
4. Rights of the data subject
Verify whether the current procedures within your organisation provide all the rights granted by the GDPR to the data subject. Check how personal data can be erased or how personal data will be communicated electronically.
5. Access requests
Update your existing access procedures and think about how you will process future access requests under the new GDPR terms.
6. Legal basis for processing personal data
Document the various types of data processing by your organisation and identify the legal basis for each of them.
7. Consent
Evaluate your way of requesting, obtaining and registering consent. Modify where necessary.
8. Minors
Develop systems to verify the age of the individual concerned and request parental or custodial consent when processing personal data of minors.
9. Data breaches
Foresee adequate procedures to detect, report and investigate personal data breaches.
10. Privacy by design and privacy impact assessment
Get acquainted with terms such as “privacy by design” and “privacy impact assessment” and verify how you can implement these concepts in your organisation’s day to day operations.
11. Data protection officer
If necessary, appoint a data protection officer or someone responsible for ensuring compliance with data protection laws. Evaluate how this person will function within the management of your organisation.
12. International
Determine who is your supervisory data protection authority if your organisation is active in multiple jurisdictions.
13. Existing contracts
Evaluate your existing contracts – mainly with processors and subcontractors – and adopt the necessary changes in a timely manner.
