The GDPR (EU 2016/679) came into effect on May 25, 2018, replacing the previous Directive 95/46/EC to enhance personal data protection for individuals within the EU. It establishes rules for the processing of personal data and applies to all entities in EU member states, emphasizing transparency, security, and the rights of data subjects such as the right to information and the right to be forgotten. Organizations are required to implement robust data protection measures and appoint Data Protection Officers, while non-compliance may result in substantial fines.

1. GDPR (EU 2016/679)
General Data Protection Regulation
25.05.2018
Enforcement date
Regulation Published
27.04.2016
2017 2018
Attention point : replaces Directive
95/46/EC currently in force
Who, where, what?
• Actors:
• Data subjects whose personal data is processed
• Processors, controllers of personal data
• Supervision authoritiesPurpose and scope of GDPR
Strengthening current personal data protection regulation (EU 95/46), GDPR lays down
rules relating to protection of natural persons with regard to processing and free
movement of personal data. It applies to all entities in EU member states processing
personal data by automated means and processing which form part of a filing system.
Application of GDPR will be supervised in Belgium by the privacy commission.
Personal Data Processing Principles
• Personal data shall be collected for specified and legitimate purpose only.
• Personal data shall be processed transparently, lawfully (consent required or
processing necessary for compliance/contract performance) and ensuring security,
accuracy, etc.
• Data subject has several rights related to his personal data: right to receive info from
controller , right to be forgotten, right to data portability, etc
Controllers/processors obligations*
Controllers/processors :
• Shall implement technical and organizational measures to ensure that
• processing is performed in accordance with regulation and that only personal data
necessary for each specific processing purpose are processed
• an appropriate level of security (encryption, confidentiality, integrity, availability
and resilience of processing systems) is applied
• Maintain record of processing activities describing the processing
• Notify personal data breaches without undue delay to supervisory authority
Data protection assessment and Data Protection Officer (DPO)
Supervision authority defined situations in which :
• Controller has to carry out an impact assessment of intended processing and consult
supervisory authority prior to processing
• a DPO should be appointed to monitor compliance, advise on impact assessment,
raise awareness, train staff and cooperate with supervisory authority
Miscellaneous
• Member States, supervisory authorities and Commission shall encourage
establishment of data protection certifications and codes of conduct
• Significant increase of fines and penalties for non-compliance (up to 20 M€ or 4% of
worldwide turnover)
• Creation of European Data Protection Board to ensure consistent application of GDPR
in member states.
Review existing
• Global assessment of GDPR readiness
• Perform Data protection impact assessments
Development
• Organize processes with regard to data subject’s requests
and rights
• Provide (interim) Data Protection Officers
Coordinate &
Support
• Technical consultancy on data security
• Compile records of processing activities
INITIO’S Offering
* Data protection by design and by default