5th anniversary of the GDPR

On the occasion of the 5th anniversary of the General Data Protection Regulation (GDPR) adopted by the European Union in 2016 and entered into force in all member states on 25 May 2018 - we would like to shed light on this law that deals with the protection of our personal data.

May 25, 2023 marks the fifth anniversary of the implementation of GDPR in all 27 member states of the European Union.

The General Data Protection Regulation, also known as the GDPR (EU Regulation 2016/619 of the European Parliament and of the Council dated 27 April 2016), is a text dealing with the protection of individuals with regard to the processing of personal data and the free movement of such data. This Regulation replaces Directive 95/46/EC adopted in 1995 and becomes a reference for the protection of personal data.

The purpose of the regulation is to strengthen and harmonise data protection for individuals within the EU, increase the protection of persons affected by the processing of personal data, and make the actors processing this data responsible. These principles can be implemented through increased powers of supervisory authorities.

In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU. This reform included updating and modernising the principles set out in the 1995 EU Data Protection Directive through this General Data Protection Regulation, as well as the drafting of a new Directive on the protection of personal data within the framework of law enforcement and judicial activities ("Justice-Police Directive").

The European Parliament amended and adopted the regulation on 12 March 2014. It was then negotiated between the delegations of the European Commission, the European Parliament and the Council of the European Union, and the negotiations concluded on 15 December 2015. The draft regulation was voted on by the Committee on Civil Rights, Justice and Internal Affairs (LIBE) on 17 December 2015. The European Regulation was published in the Official Journal of the European Union on 4 May 2016 and entered into force on the twentieth day after its publication. The provisions became directly applicable in all 27 EU member states from 25 May 2018.

The GDPR was partly a continuation, partly a modernisation, and partly a tightening of the privacy regulations that existed, but the new level of sanctions led to increased awareness of compliance with the regulations.

GDPR means that personal data must be processed for a purpose, only information that is necessary must be collected, they must be updated, they must not be stored longer than necessary and they must be secured with technical and organizational measures.

The registered person has, among other things, the right to access their personal data, the right to correct and delete information, as well as object to processing.

In fact, after 5 years of GDPR, businesses have had to take a more active approach to privacy. They must adapt the organization, policies and procedures to protect privacy from collection until the data is no longer processed.

There is a lot to familiarize yourself with, especially for small and medium-sized companies, and many experience the requirements of standardised regulations as both difficult to implement and comply, but it does not have to be. Here are three recommendations:

1. Get an overview of all personal data processed in the business and collect these in a processing protocol. Create processes to ensure that the management protocol is updated continuously.
2. Always carry out risk assessments when personal data is processed. Consider both the rights and freedoms of data subjects, as well as technical and organisational measures to protect personal data. Conduct DPIA where necessary. Create processes for implementation.
3. Ensure good training of all employees in the company, adapted to their roles and responsibilities. Protecting your privacy is a shared responsibility!

Data protection is a complicated field, and it is challenging for all businesses to have such specialist expertise in-house. Orange Cyberdefense can be connected to identify how your business complies with GDPR, uncover weaknesses and ensure that this is taken care of from A to Z. The team usually starts by conducting a maturity assessment, which shows how mature the business is within privacy, across people, processes and systems. From there, they prepare a strategic roadmap in consultation with the customer, which will help them in their work on regulatory compliance and improving privacy maturity. The program is always adapted to the customer's needs. For example, we adapt employee training. Both to different industries and businesses, but also to different roles and departments within an organization.

Irresponsible handling of personal data can have far-reaching consequences, both for the individuals affected – and for your business. At Orange Cyberdefense, we can help you take action. If you would like to talk to us to see how your business best safeguards GDPR from a legal, organizational and technical perspective, you are welcome to contact us.

Contact our compliance expert Jan De Bondt