Belnet, the Belgian national research network providing high-bandwidth Internet connection and services to Belgian universities, colleges, schools, research centres and government departments, is addressing the General Data Protection Regulation (GDPR). GDPR is a government requirement and comes into play on 25 May 2018 and focuses on the transparency and control of processing personal data. As previously announced, Belnet has taken the necessary measures in order to be compliant with the GDPR regulations and has rolled out several measures simultaneously.
The following precautions are aimed at developing Belnet’s privacy governance and the specific requirements associated with GDPR compliance in the contractual relationships with Belnet’s customers.
Belnet’s privacy governance
In addition to appointing their own Data Protection Officer (DPO) and creating a data register, Belnet is integrating the principles of ‘privacy-by-default’ and ‘privacy-by-design’ right from the start of projects. When starting a project, the project managers at Belnet complete questionnaires which are then submitted to the DPO for advice. In this way, Belnet can ensure the minimisation of data and deploy risk management when processing personal data.
Belnet also include GDPR requirements in specifications for public procurement contracts. It is important that the Company’s suppliers are GDPR-compliant, not only for Belnet’s internal operations, but also for provision of services to its customers.
Processing customers’ personal data
In order to make processing customers’ personal data compliant with the GDPR regulation, Belnet is taking three specific measures by 25 May 2018:
- The general terms and conditions will contain a new appendix. The main purpose of this is to make processing of contact persons’ personal data transparent in accordance with GDPR requirements. This involves, among other things, providing information on the purpose of processing, communication of personal data and how long it is kept.
- In addition, a GDPR record will be established for each specific service that Belnet provides to the customer. This enables viewing the information concerning processing personal data as laid down by the GDPR regulation. When Belnet uses a data processor, this will be clearly stated and if possible, additional information from the data processor will be added. The additional information necessary will also be mentioned for the services that Belnet provides via Géant.
- Lastly, when personal data has been communicated to Belnet directly by the person concerned, that person will be asked for a renewal of the explicit authorisation. This is necessary for compliant purposes for the GDPR regulation’s stricter requirements in regard to explicit consent.