The GDPR a year on – in control of your personal data thanks to Data Usage Board

The GDPR a year on – in control of your personal data thanks to Data Usage Board - Viacryp

A year has passed since the General Data Protection Regulation (GDPR) went into full effect. So where are we now, what are the most important lessons learned for organisations that process personal data and what smart solutions have become available?

In the past decade, massive amounts of personal data have been collected, stored, processed and redistributed for incredibly wide-ranging reasons. This skyrocketing use of data has led to data spreading like oil slicks within organisations, leading to a serious lack of clarity in what personal data are stored where. As a result, an increase in privacy awareness is greatly needed.

Over the past year, many organisations that process personal data have been actively taking measures in order to comply with all the obligations that the GDPR imposes on them. Data subjects exercising their rights (such as the right of access and the right to erasure) are a now-familiar example of this. In order to properly respond to these requests, it is necessary to know exactly what personal data are processed, why they are processed, and how and where they are stored. Unfortunately, being in control of data use is still the biggest challenge for most organisations.

Insight into new and existing processing operations

Being in control of the use of data means that an organisation has insight into its processing of personal data and records this in a mandatory processing register. In practice, this means that an organisation must also record which data are processed, for which purpose and on which basis, for all existing personal data processing operations. Moreover, measures must be taken to properly secure, store and delete the data, and this has to happen in accordance with the agreed retention period.

Correct use of personal data by the Data Usage Board

In order to record the processing, it is necessary to first test it against privacy legislation and determine on what basis the processing is justified. In view of the vast number of existing processing operations and the increase in the number of new processing operations, more and more organisations are calling on the help of specialised data parties to set up a Data Usage Board (DUB).

A well-organised Data Usage Board assesses processing from various perspectives (privacy, security, data management and co-determination), tests it against the relevant legislation and determines the conditions under which processing is permitted. Existing processing operations can thus be assessed retroactively. If necessary, measures can be determined and taken to adjust the processing or, in extreme cases, to put a stop to it. For new processing, there is one efficiently designed process in which the business and/or data analyst can check the proposed processing against the various disciplines. This makes it immediately clear what is possible with the personal data concerned.

Experience has shown that setting up a Data Usage Board contributes to the greatest challenges facing organisations in the context of the AVG: raising privacy awareness and getting and remaining in control of data use within organisations.


Read also:


Patrick van den Bos

About us - Patrick van den Bos | Viacryp

Patrick is CIPP/E-certified and has been working as a privacy consultant since 2016, helping organisations to deal responsibly with personal data and become GDPR-compliant. He also advises organisations on technical and organisational measures and the use of privacy-enhancing technologies (PETs).