As I’m currently working on my bachelor thesis regarding the impact of GDPR on the IT processes in a multinational business environment, I invited our Belgian State Secretary for privacy for a short interview regarding GDPR. Philippe De Backer accepted and I met him at the Infosecurity conference in Brussels.

Hi Philippe, first of all, thank you very much for doing this in your probably very busy schedule.

No worries, if it’s fine I’ll just read and answer the questions straight away to save time.

If you had to pick 5 words to describe GDPR, which would you pick?

I think that the GDPR means standardization, better privacy protection for the consumer, a higher level of compliance from businesses but most of all an opportunity for a business to get a clear view on its data and how they can use that data in the business.

Why do you think GDPR is required?

I think GDPR is absolutely necessary because we are living in a digital economy, an environment where the protection of personal data regarding civilians should be better. The business needs to to get a better view which data they have and what they should do with it. But it is also a matter of trust towards clients, GDPR is a framework in which you can say towards your clients “Look we are compliant, you can trust us with your data”.

GDPR was established to unite the laws of different Member States of the European Union, yet GDPR allows Member States to fill in some of the gaps of GDPR, isn’t this contradictory?

GDPR indeed created a “playing field” for Member States of the European Union, but the gaps they can fill in on a national level are rather limited. The biggest part that will be filled in on national level is the controlling entity, the new Data Protection Authority (DPA). This could be problematic because, this again will lead to fragmentation towards the goal of having a uniformal data protection legislation.

Recently in Datanews there was an interview with Willem Debeuckelaere (Belgian Federal Privacy Commission) that the privacy commission will not be ready on the GDPR deadline, what will be the consequences of this?

Yes this is correct, Willem did say the privacy commission is not ready. I think it’s odd that the chairman of the federal privacy commission said this because his only duty is to make sure the federal privacy commission is ready for the GDPR deadline on the 25th of May. In my opinion that wasn’t a really smart statement. The privacy commission should push forward, should do more to help companies get compliant, to inform civilians of their newly gained rights and freedoms. This is, in my opinion, the core exercise for the new Data Protection Authority we created.

One of the new aspects of GDPR are the Data Protection Officers, in Spain they need to be certified, can we expect something similar in Belgium?

The DPO certification is not mandatory under GDPR. We also don’t have the people or resources to overview this, however this creates a market for universities and colleges which started their own DPO education programs. This is great as I love an open market, but it’s also important to have a link with these institutes to ensure the quality of these educations.

GDPR offers a lot of new rights to data subjects, will there be a campaign to the public to create awareness for this?

GDPR indeed opens up a lot of new rights and freedoms towards data subjects. We already worked alongside organisations like VOKA and UNIZO (business federations). Every week the subject of GDPR and data protection makes it in newspapers or magazines. The privacy commission is also working on a roadmap for companies what they need to do. The sector federation Agoria even developed their own tool. So to conclude I think that on all levels we tried to make clear towards the business what needs to happen.

Does a controller require to keep track when for example a user wants to use his “right to be forgotten” as proof?

If a data subject calls upon his “right to be forgotten”, you indeed need to be able to show that the rights of the data subject are properly executed. In fact, when the DPA performs an audit, this will be one of the controls. This ofcourse does not mean you need to log the specific details. The evidence that will be required is to show that you have proper, working procedures in place for responding towards the requests of data subjects.

In case there is profiling without legal effects on the data subject (for example movie preferences), is explicit consent required?

Yes, profiling, this is something for which people should always give their explicit consent. In fact a time ago I had a big discussion with the telecom companies Telenet and Proximus. As you might know they perform excessive profiling on the viewing behaviour of their clients. I made them very clear that for all new clients they will need to ask explicit consent, this is because under the GDPR everyone benefits of the highest level of privacy and data protection, meaning they have a choice if they want to be subject of profiling to receive movie or advertisement suggestions. This is and remains a consumer choice and is something I stand for.

The new E-privacy legislation was delayed to a later date, what will the impact be on the execution of GDPR in the period that the old E-privacy directive will still be in use?

The E-privacy legislation indeed is linked with GDPR but as such it won’t have a direct impact. This is because GDPR is a stand-alone legislation which indeed is of effect as of the 25th of May. Companies will need to be compliant with GDPR as of that deadline, but there are still discussions about the E-privacy legislation, meaning this will be of effect on a later date. It would have indeed been more pleasant if they would be of effect together on the 25th of May, but I don’t expect there will be an impact.

According to GDPR, the processing of personal data with a high risk should be reported to the Data Protection Authority. The business can do a Data Protection Impact Assessment to calculate the risk of processing, but what are the standards of the DPA in Belgium?

There were some discussions about this lately as well, also within the Working Party 29, to define what is a high risk and what isn’t. I think the Data Protection Authority should provide standards as quickly as possible on how to handle data which is considered as a high risk. But I can guarantee that companies like hospitals are already putting in a great effort to achieve this.

My research for my bachelor thesis is called “What is the impact of GDPR on the IT processes of an international business?”.

The first step will obviously be to make sure that the company is compliant in the country where its headquarters is located. The next step is to roll out the changes related to GDPR towards the entire organisation. This will in turn require training of the employees on how they should handle, manage and store personal data. Also when we are talking about data transfers outside the European Economic Area, the company will need to make sure they have a legal ground and contract. This is to make sure the game rules of GDPR are followed, not only in a formal and legal way but that they are also implemented practically and operationally. Everything will also need to be logged in the register for audit purposes, to proof compliance and measures taken to protect personal data.

A lot of businesses say that GDPR is a enormous cost to be compliant to the new regulation, what is your opinion on this statement?

GDPR indeed is a compliance cost. But I like to see it more as an opportunity for companies to gain a clear view on the data they posses, to better protect their environments and the personal data within it. This will lead to a higher consumer trust, and thanks to GDPR I believe a compliant company will have it easier to gain new clients but also to provide them with a better service.