Following a series of guidance published by fellow national DPAs, the Belgian Privacy Commission launched a 13 step GDPR-readiness roadmap to help companies processing personal data to start preparing themselves.

The Privacy Commission will also create a GDPR-themed section on its website where data controllers and processor can consult additional guidelines, instruments and frequently asked questions.

The 13 steps forming the roadmap for ensuring GDPR compliance by 25 May 2018 are:

1. Raising awareness

Inform key figures and policymakers on upcoming changes. They will have to assess the impact of the GDPR for the organisation.

2. Data mapping

Document which personal data you manage, where it comes from and with whom it has been shared. Map your data processing activities. You may potentially have to organize an information audit.

3. Communication

Evaluate your existing privacy policy and plan necessary changes in view of the GDPR.

4. Rights of the data subject

Verify whether the current procedures within your organisation provide all the rights granted by the GDPR to the data subject. Check how personal data can be erased or how personal data will be communicated electronically.

5. Access requests

Update your existing access procedures and think about how you will process future access requests under the new GDPR terms.

6. Legal basis for processing personal data

Document the various types of data processing by your organisation and identify the legal basis for each of them.

7. Consent

Evaluate your way of requesting, obtaining and registering consent. Modify where necessary.

8. Minors

Develop systems to verify the age of the individual concerned and request parental or custodial consent when processing personal data of minors.

9. Data breaches

Foresee adequate procedures to detect, report and investigate personal data breaches.

10. Privacy by design and privacy impact assessment

Get acquainted with terms such as “privacy by design” and “privacy impact assessment” and verify how you can implement these concepts in your organisation’s day to day operations.

11. Data protection officer

If necessary, appoint a data protection officer or someone responsible for ensuring compliance with data protection laws. Evaluate how this person will function within the management of your organisation.

12. International

Determine who is your supervisory data protection authority if your organisation is active in multiple jurisdictions.

13. Existing contracts

Evaluate your existing contracts – mainly with processors and subcontractors – and adopt the necessary changes in a timely manner.