Belnet is preparing for the GDPR

Practical roll-out of the measures to comply with the GDPR

GDPR is the abbreviation for the European General Data Protection Regulation, which focuses on the transparency and control of the processing of personal data. As was previously announced, Belnet has taken the necessary precautions to be GDPR-compliant by 25 May 2018. Various measures are now being simultaneously rolled out at Belnet.

In this article, we deal with a few general measures that are aimed at developing Belnet privacy governance, on the one hand, and with a few measures that relate specifically to GDPR-compliance in the contractual relations with our clients on the other hand.

General: Belnet privacy governance

In addition to the designation of the Belnet Data Protection Officer (DPO) and the draft of records containing all our personal data processing, we are busily recording the principles of privacy-by-default and privacy-by-design from the very start of our projects. When a project is started, Belnet project managers complete a few questionnaires which are then submitted to the DPO for advice. We ensure that data minimisation, personal data processing risk management, and accountability form the leitmotif through the project management.

We also include the GDPR requirements in public procurement specifications. It is important that our suppliers are also GDPR-compliant, not only in our internal operations but also in providing services to our clients.

Compliance with the GDPR is also of prime importance in the other contracts that Belnet concludes, which range from employment contracts to contracts with clients. You will see below what this specifically means for the contracts with our clients.

Specifically, processing clients’ personal data in contracts

For the purposes of making the processing of clients’ personal data GDPR-compliant when providing our services, we will take three specific measures by 25 May 2018:

  • There will be a new appendix to the contract (general terms and conditions). The primary purpose of this is to transparently reflect the processing of the personal data of the client’s contacts as prescribed by the GDPR. This relates to matters such as the purpose of the processing, the transmission of the personal data, and the retention period.
  • In addition, a GDPR sheet will be drawn up for every specific service that the client purchases from Belnet. This will clearly record the processing of the personal data as prescribed by the GDPR. It will also be clearly stated if Belnet engages a data processor and, where possible, additional information on the data processor will be included. The necessary information will also be stated for services that Belnet purchases through Géant.
  • Finally, where the data subject communicates his or her personal data directly to Belnet, he or she will again be requested to give his or her explicit permission to process such data. This is necessary to be able to comply with the stricter requirements of the GDPR on explicit permission.

New procedure: The data subject’s exercise of his or her rights and the notification obligation in the case of data leaks

The GDPR imposes two new procedures concerning access to personal data and the notification obligation in the case of data leaks. You will be able to find these procedures in the aforementioned documents.

Knowledge sharing and exchange with other DPOs

Do you have any questions on the GDPR at Belnet? Or are you a DPO in a Belnet member organisation and do you want to exchange your experiences with us? Do not hesitate to contact us at dpo@belnet.be.