GDPR: The Data Protection Authority supports companies

Slowly but surely

GDPR is celebrating its third anniversary – enough time to grasp the rules and be fully compliant, or so you’d think. In reality, it’s more a case of growing awareness, and there’s still much to do. “Companies are achieving compliance slowly but surely. We’re also living in an age characterized by massive digital dependence and the emergence of new types of data – a continuous process that raises many questions. And we’re here to answer them,” says Aurélie Waeterinckx, spokesperson for the Data Protection Authority (DPA).

Too few organizations use the code of conduct to demonstrate compliance with GDPR obligations.

Aurélie Waeterinckx, spokesperson for the DPA

Emergence of DPOs

A new profession has emerged in recent times: the data protection officer (DPO). Often external to the organization, the DPO acts as a guide to compliance and is key to moving forward. The first task of the DPO is to carry out an audit of the personal data held by the organization, followed by the implementation of corrective measures, if necessary. According to Waeterinckx, the DPO is the DPA’s partner. “Our common goal is to avoid sanctions through good preparation.”

The code of conduct as a tool

While companies must adapt to the regulations, GDPR is also continually adapting to the digital revolution and the new ways of implementing existing and emerging technologies. Waeterinckx says there are already tools that can be used: “Too few organizations use the code of conductNew window to demonstrate compliance with GDPR obligations. Although it doesn’t guarantee compliance, it’s a very useful tool in assessing it, and we are always here to guide companies.”

The GDPR reflex must become instinctive before a project starts.

Aurélie Waeterinckx, spokesperson for the DPA

Mediation, sanctions, and support

Last year saw a sharp increase in complaints (up 290%) and data-leakage notifications (up 25%). The top three complaints were direct marketing, COVID-19, and data processing by towns and municipalities. “The quickest way to restore your rights is through mediation. There were 89 cases in 2020. As regards fines and sanctions, we issued 83 decisions, resulting in 78 sanctions, including 19 fines. The aim is to drastically reduce these numbers by supporting organizations from the outset,” Waeterinckx says.

The GDPR reflex

But what are the main mistakes companies continue to make today? According to Waeterinckx, marketing without consent and a lack of transparency are the biggest offenders. Users aren’t (or are only vaguely) informed about the processing of their personal data. “We’ve also noted the lack of importance companies give to the DPO’s role. The GDPR reflex must become instinctive before a project starts.”

Prevention is better than cure

Waeterinckx’s hope is that one day companies will be fully compliant. To achieve this, the Data Protection Authority uses as many tools as possible to raise awareness and provide advice. Dealing with around 4,000 enquiries a year, the DPA websiteNew window is the primary source of information, including publication of decisions. “The best way to learn and prepare yourself is by subscribing to our newsletter, where you’ll get quick and relevant updates.”

Through the Boost project, the DPA also provides specific practical support for SMEs. And for DPOs, there is DPO-Connect, where DPOs can collect, filter, organize, and share knowledge with privacy professionals in Belgium.