This document provides an overview of the General Data Protection Regulation (GDPR) and steps for small and medium-sized businesses to maximize compliance. It begins with the history of data protection regulations in Europe from post-World War II to the finalization of the GDPR in 2016. The rest of the document outlines the content and principles of the GDPR, data subject rights and controller responsibilities, international data transfers, remedies for non-compliance, and administration of the regulation. It also provides recommendations for businesses to understand how the GDPR impacts them, document their data processing activities, ensure security and privacy, and seek guidance on following the regulation's requirements.

1. Hans Demeyer
Supplier of Optimism & Inspiration
On GDPR
The General Data Protection Regulation
and how to maximize compliancy

2. • Post-world war II
• 1950 - European Declaration of Rights
• 1992 – Belgian law on personal privacy
• 1995 – European Privacy directives
• 2000-2010 – Telecommunications law, e-
commerce, additional Local directives, CLAs
• May 2016 – General Data Protection Regulation
• Grace period
• May 2018 – binding law
history

3. 11
12
20
78
42
3
GDPR - content
General and principles
Data Subject rights
Controller responsibilities
Sending data outside the EU
Remedies
Administration
Security

6. Hans Demeyer
Supplier of Optimism & Inspiration
• Linkedin.com/in/hansdemeyer
• Hans@thedataprotectionoffice.eu

7. April 2015

8. “your aproach is disruptive and far better
then what the average SME delivers. Don’t
let that value get lost.”
“Finally a pragmatic and clear session on
GDPR. Thank you.”
“inspiring and ready to put into action”
“no fear, just optimism and concrete
action outlines”

10. B2B, B2C, Staff

11. What data?
Personal data (Active opt-in*)
- Name : Sophie D
- Address : street, N°,city, country
- Mail address : Sophie@Hotmail.com
- Photo
- Biometric info: fingerprints, face reco, …
- Ip-address, Mac-Address
- IQ info
- Profiling info
- Online behaviour
- Location data
- Aliases (twitter, FB, …)
- Combinations leading to potential
identification of a natural person
Sensitive data (Explicit consent)
- Sexual preferences
- Medical info
- Union choice
- Political, religious prefs
- Memberships
- National ID number
*Unless < 16
Company data, info@,
sales@, … are not GDPR
sensitive

12. Understanding the
impact

13. Data subjects
Controllers & Processors
The GDPR journey

14. Your
organisation
destination
Your mission
Your value prop

15. Value
proposition
ActivitiesPartners Customers
Cost Revenue
Resources
CRM
Channel
Marketing &
Sales
entry processing exit

16. Your
organisation
Your mission
Your value prop
marketing
destination

17. GDPR rights for citizens
How are you
processing my
data?
What personal
data do you
have?
Please correct
or add
incomplete
data
Please remove
my data
Please stop
using my data
for marketing
Opt me out for
1 specific part
of the
processing
Can I get a
copy of my
data?
I object to a
presumed
automated
decision
What do you
need my data
for?
How long do
you keep my
data
Where do you
store my
personal data?
Your
organisation

18. Privacy declaration

19. Cookies & trackers
• 1st party
• 3rd party

20. Only what is needed

21. Digital & Analogue

22. Your
organisation
Your mission
Your value prop
marketing
destination

23. Data processing – 6 grounds
1 CONSENT
• Communicated
upfront
• Clear
• Fragmented
• Recorded
• Procedure
• Motivated
• Relevant
2 CONTRACT
• All processing and
data transfert
required to fullfil
the agreement
• No additional
consent required
3 LAW
• All processing and
data transfert
required by law
• No additional
consent required
4 HEALTH
• All processing and
data transfert to
assure the health
of an individual or
group
• No additional
consent required
5 COMMON
INTEREST
• All processing and
data transfert to
assure the
common interest,
security, .. Of a
group
• No additional
consent required
6 LEGITIMATE CAUSE
• All processing and
data transfert
pondered and
motivated that
serves the
interests of the
subject and the
controller without
conflicts
When processing personal data, always
check if 1 of the 6 answers aside is
applicable

24. https://privacycommission.be/(nl-fr)

25. functionele omschrijving verwerking gebruikte gegevens en betrokkenen verwerker gegevensuitwisseling technologie risico & beveiligingsmaatregelen rechten betrokkenen status opmerking
identificatieen informatieover de verwerking
nummer, functionele omschrijving, finaliteit,
verwerkingsgrond, type verwerking en
functionelebeschrijving
details over de gegevens die verwerkt worden
en de betrokkenen van wie gegevens verwerkt
worden
functionelecategorie, gevoeligecategorie
gegevensverwerking, categoriebetrokken,
classificatieniveau, bewaartermijn, authentieke
bron
identificatievan de verwerker (extern aan
organisatie) die betrokken is bij de verwerking
naam, nr gegevensverwerkingscontract
informatieover eventuele gegevensuitwisseling
met derde partijen
categorie(ën)gegevens,categorie(ën)
ontvangers, derde land/internationale
organisatie, documenten passende waarborgen
beschrijving van de gebruikte technologie,
applicaties, software bij de verwerking
informatie over het risico en de
beveiligingsmaatregelen van de
gegevensverwerking
risico, beschrijving
beveiligingsmaatregelen, documentatie
beveiligingsmaatregelen, GEB (DPIA)
verwijzing naar de documenten die de
procedures ter respectering van de rechten van
de betrokkenen bepalen
informatieover de status van de verwerking: startdatum,
einddatum en plaatsvervangendeverwerking
noteer eventuele opmerkingen/aandachtspunten mbt de
verwerkingsactiviteit
Process
Purpose (why)
Data processed (what)
Retention (how long)
Data processor (who)
Legal ground
What technology is used?
What is the risk?
What rights could be exercised?
Status
Remarks
Be accountable – document your processes
News letter sharing
Send updates via newsletter
Name, mail address
till opt-out by customer
Marketing dpt
Consent (legitimate interest ?)
Mail chimp
low
Correct, get, opt-out, forget
Checking software & process
Ready for May 25

26. Job Applications & Staff
Existing
CLA’s
(61,81,82,89,…)
Check your
HR Agency
Add GDPR
‘NDA’ to
contract

27. GDPR processor
agreements

28. Your
organisation
Madrid
Your mission
Your value prop
marketing
What about security?

29. unlikely low medium high certain
Probability of leaks
negligableminimalsignificanthighcritical
Impactofleaks
• Respect for private and
family life, home and
communications
• Physical and mental
integrity
• Liberty and security
• Freedom of thought
• Data protection
• Freedom to work and
choose an occupation
« Risk assessment »
Incidents must be reported within 72hrs

30. On premise
Outside (! Outside Europe)
Fixed Mobile
Security = where, what, who, when, how?
List
- devices
- software
- apps
- other?
As you see
them inside the
company and
outside the
company both
fixed and
mobile

31. On premise
Outside
Fixed Mobile
prints
cupboard
Who?
How?
What?

32. High impact
Low impact
Easy Complex
Next move

33. citizen Mediator
Reconcile
complaint
YES
NO
chamber
Inspection
warn
fine
classify
appeal
court
complaint
GDPR - escalation

34. Your
organisation Madrid
Your mission
Your value prop
marketing
Steps toward GDPR compliancy for self-employed and Small & Medium size businesses

35. Thank you
http://Thedataprotectionoffice.eu
hans@thedataprotectionoffice.eu
Lees onze
welkomstbrochure
The Data Protection Office
Mosseveldstraat 34 a
9290 Overmere
+32 496 16 33 01
GDPR begeleiding voor
Zelfstandigen en KMO’s
Reserveer uw
begeleiding hier
The Data Protection Office is een handelsmerk van
CT-Interactive bvba – BE0462541827