How to be GDPR compliant

You are looking for pragmatic and operational answers to what to do and what not to do about data-processing, use and retention? We will reply to your questions in a simple and practical way about GDPR in this article.

“A honeycomb pattern in the modern facade of a building in Brussels” by Fuse Brussels on Unsplash

What is GDPR?

GDPR means « General Data Protection Regulation ». The European Parliament adopted GDPR in April 2016, replacing an outdated data protection directive from 1995. It reaches a higher level of protection than previously, for all consumers whose personal data is required.

Personal data is any information relating to a person or a “Data Subject”. Personal data can be used to identify the person (name, picture, email address, bank details, social network account, medical information, even a computer IP or Internet Protocol address).

What are the goals of GDPR?

✔︎ To give citizens back control of their personal data;
✔︎ Empower the actors involved in the data;
✔︎ Increase awareness of regulation through a system of penalties.

Who are concerned?

GDPR compliancy concerns every European company which processes the personal data of European citizens. It affects companies in many different ways, depending on various factors such as: company size, the types and amount of data it processes, and its current security and privacy measures.

What are the penalties?

In the event of non-compliance, companies can be fined from 2% to 4% of turnover and up to 20 million euros for the most serious offenses.

Enforcement will be applicable from the 25th of May 2018.


Implementation

In 2017, Stef B., a Belgian lawyer, “joined the game” at Lesterius. 
He has been designated as the Data Protection Officer (DPO) of the entire group.

His missions are:
✔︎ To check the compliance of our processes regarding the use of personal data within the provisions of the GDPR;
✔︎ Accompany and advise managers and employees of the company on the use of personal data in accordance with the regulations;
✔︎ Alert the central management of any breach within the provisions of the GDPR.

Meetings are held regularly between Project Managers in France, Belgium and The Netherlands. Keynotes are made every 2 months to the whole group.

“GDPR is not a coming storm, but a new breeze will blow” he says to us.


Main provisions of GDPR

Right of Information: Users should be informed of any data collection concerning them, and will have to give their explicit consent to this.
Action: Apply data protection by design and by default

Right to Access: Users will be able to request access to their personal data and ask what it is used for.
Action: You must give your contacts access to the data you hold on them.

Right of Consent: At any time, a customer may withdraw their consent to their data being used by your company.
Action: You must obtain from your contacts their unambiguous, express and explicit consent to store and use their personal data in some precise cases.

Right of Data portability: Users will have the right to recover their data to be reused by another service provider.

Right to erasure or, Right to be forgotten: It enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. 
Action: You must ensure that your contacts can easily request the deletion of their data.

Right of Notification: In the event of leakage of data concerning a user, they will have the right to be informed within 72 hours of the discovery of the leak.
Action: Warn your customers if there are data breaches and flaws.

Do you remember Meltdown and Spectre? We conscientiously did a mailing warning our customers and published posts about it.

It is all about good sense and quality processes.


We adopt codes of conduct that promote anonymization & pseudonymization.

Anonymization: It becomes impossible to identify a person.

Pseudonymization: It becomes impossible to identify individuals. However for others, it might be possible because they have access to other information that can be combined. We might not immediately recognise someone after the pseudonymization process.


Lesterius team State of Mind

The Lesterius team has always felt concerned about data protection and social environment security.

We provide custom app solutions for many customers & many users,
— we train people,
 — we manage hosting servers,
 — we organise conferences in Europe,
 — we also know the personal data of our employees is very precious,
 — …This is a non-exhaustive list. Data protection, privacy and security in general have always been a priority for us.

Our team is working on a Customer Dashboard to make personal data easier to access, update, upload and remove.

Firstly, we tend to make it internally understandable: what “personal data” is involved and what processes should be applied to allow us and our customers to be GDPR compliant.

On one hand, we will adapt our data-processing with GDPR.

On the other hand, we will provide you a new GDPR service where we will help you to check the compliance of your use of personal data within the provisions of the GDPR.


Contact

  • You have a question about our Medium posts, contact mkt (at) lesterius.com or leave a comment below
  • You are a customer and you would like to ask a question to our DPO or ask for an audit? Please send us a mail here

Useful links

Council of the European Union: “Position of the Council at first reading with a view to the adoption of a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”
http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf

EU GDPR https://www.eugdpr.org

Intersoft Consulting https://gdpr-info.eu

How to GDPR-proof your startup https://thenextweb.com/tq/2018/01/17/gdpr-proof-your-startup-time-running-out/