Tips to make your organisation GDPR-proof before this regulation comes into force: Part 1

Below is an overview of the absolute "must dos" to be in line with the GDPR. Does this guarantee you are 100% in line? No, this overview is too short for that. It does help you to not overlook a number of obvious things.

Tip 1: Draw up a record of processing activities!

This is without a doubt the highest priority. Regardless of whether you are a data controller or data processor, everyone needs to draw up this record/register. This register replaces the previous system of data processing declarations with the Data Protection Authority (DPA).

The record of processing activities needs to provide an overview of all processed personal data in your organisation. Both internal (e.g. personal data of employees for payment of their salary) and external processing (e.g. processing of personal data to send mail to a customer base).

What do you need to record in this register? A number of essential things such as: the purpose of the processing, the type of personal data that is processed, the storage time for this data, the legal ground for the processing, the indication of the processor, whether the data will be sent to third parties or even outside the EU, etc.

How do you start on it?

You must have this register by 25 May in any case. You also need to keep it up-to-date. If your organisation appointed a DPO, he/she can make sure this register is regularly updated. Use a model (see infra) that seems appropriate and divide the work over the different departments. Collect the relevant info about the processing within the company and correctly record it in the register.

The Belgian Privacy Commission has made available a model of a record of processing activities on its website. DNS Belgium will use this model form for its record of processing activities. Columns that are not relevant can be left blank or simply omitted.


Don't worry too much about your processing activities! It is better to have a limited register with the principal activities in order by 25 May than a whole list of processing operations with crucial data still missing. This register is a "living document" that needs to be regularly updated.

Tip 2: Create awareness among your employees!

An organisation's protection of personal data policy will fail if the people working on it don't have a minimum level of awareness as to how to handle such data.

GDPR is not only something that concerns the management and the legal department. "Privacy by design" obliges the IT department to keep the processing of personal details as minimal as possible and to take appropriate measures to protect this data in the design and construction of applications.

What can you do about this?

You will find enough articles on the Internet about the GDPR that explain the different aspects in an understandable way. Try to gather relevant information and put this on the company's internal network, incorporate it in presentations, maybe organise a workshop and draw up easily understandable procedures.

Make sure the text of the GDPR is easily available in the languages relevant for the company. Ideally a kind of simplified text or presentation is made of this sizable GDPR.

The different language versions of the GDPR are available on the EUR Lex site. Another interesting site about the GDPR is:  

Tip 3: Get permission of the data subjects!

In principle, processing a data subject's personal details requires his/her consent. As we saw in a previous article, there are exceptions to this, e.g. if the processing of the data is required for the performance of a contract. In this way you don't have to ask the data subject's consent to process certain data that are required to invoice services he/she buys.

However, many of the processing operations are based on the (assumed) consent of the data subject. This concerns all electronic mailings, for instance (to customer base, suppliers, newsletters, etc.).

Example: an electronic new year's card.

An example of how an innocent and friendly practice can get you into problems unintentionally. Many companies send their customers, suppliers and contacts an e-card with Christmas and New year's wishes. This is done based on a list of e-mail addresses compiled by the employees of the company.

What is the legal ground for this processing operation? Did the data subjects ever give you their explicit consent? Is this to execute a contract? Is there any legitimate interest or legal obligation? Most probably the answer to these questions is no. It is therefore best to send all the people on your e-card list a message and to ask for confirmation to receive an e-card from you in the future.

What to do?

Check which mailings your company sends. If these mailings are addressed to private individuals ( you will have to take action. Before, the data subject's consent was often obtained implicitly. Under the rules of the GDPR this will no longer be allowed and the consent will have to be given freely, specifically, informed, unambiguously and actively.

It is also important that the given consent must be verifiable. Another reason in other words to send the recipients of your mailings a message to request they confirm their registration.

Tip 4: Work on a privacy statement and policy!

A number of things regularly come back in the text of the GDPR: transparent, concise, easily accessible, in clear and simple language, etc.

Your company's privacy policy must correspond with this. Often, rules concerning the protection of personal data are "buried" in barely understandable legal texts such as general terms and conditions.

It is still necessary to integrate essential matters in your general terms and conditions, contracts with suppliers and other related documents. You must also work on an easily understandable and simple reproduction of your privacy policy. This so-called privacy statement is best posted on your website in an easily accessible place.

What should you include in a privacy statement?

  • Identity and contact details of the data controller (as registrar of DNS Belgium you will have to specify us and your own company + explain who does what with the data).
  • If applicable, the contact details of your DPO.
  • Processing purposes for which the personal data are meant + the legal ground for the processing (e.g. based on consent).
  • Where applicable, to whom these data will be given + indication whether the data will be sent to non-EU countries.
  • How long the data will be kept.
  • Referral to the data subjects' rights.

An example of a privacy statement is available on our website.

The last step is the hardest one; make sure your company effectively carries out what you specify in your privacy statement. Therefore, make sure all employees have been notified about the privacy statement and the underlying policy to ensure they act accordingly.

Tip 5:    Check whether you need to appoint a Data Protection Officer (DPO) or not!

Certain categories of processors or data controllers are obliged to appoint a Data Protection Officer. In short, this is a person - internal employee or external consultant - who is responsible for the observance of the GDPR obligations. In addition, he/she is responsible for the support of your company in all matters related to the protection of personal data.

When is the appointment of a DPO necessary?

The majority of companies will not need a DPO. The appointment is obliged for government and public enterprises, processors of special personal data (info about ethnic background, political, sexual or religious preferences, etc.), processors of data relating to criminal law facts and when your principal activity comprises large scale processing of data that requires regular and systematic observation of the data subjects. The latter is particularly unclear but the monitoring of data subjects on a large scale is a key element here.

At first glance you will therefore not fall in one of these categories but you do have to know that the national government can deviate from the aforementioned and impose stricter rules relating to the obligatory appointment of a DPO.

Next month the second part with the last 5 tips to prepare your organisation will be released.



Is the entity that registers a domain name for a company, organization or person. Next to the “resale” of web addresses registrars can also offer hosting services, web design... 


Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa.