Getting ready for GDPR

For Qelp I am responsible for Data Security and Privacy. The new GDPR (General Data Protection Regulation) compliance rule is nearing the implementation deadline of May 25, 2018. Lets sum up the changes that this regulation implies and the actions I am currently taking for Qelp. Most of it is already common sense by the way.

To comply with the legal requirement in the context of the GDPR legislation, I am undertaking the following changes:

Publish a statement in the public privacy statement on qelp.com that we from Qelp: from the ground up take into account Privacy (Privacy by Design & Privacy by Default) in its services and product development;
Publish an employee facing privacy notice, about how we process employee data and point out to those concerned about their rights;

I am currently writing a concept statement for our legal department for review, before we publish on qelp.com

Have an “Information Processing Officer” or “Data Protection Officer” (DPO) employed (me) and have registered this person as such with the Dutch Data Protection Authority;

And then the Dutch Data Protection Authority (DPA) writes the following about this:
The DPA publishes registrations of DPO’s in a register. Please note: this public register will expire on May 25, 2018. Based on the GDPR, responsible parties and processors are then obliged to publish the contact details of their DPO themselves. In short: we will be able to include a publication in the public privacy statement about who is the DPO at Qelp.

To explain in simple language exactly and completely how Qelp processes personal data and points out to those concerned about their rights. This explanation will have to be publicly available (this can also be incorporated in the privacy statement and needs to be in the employee facing privacy notice);
To carry out various (internal) registrations, including the nature and form of processing; How are these data secured, for example, and how do we deal with (potential) data leaks;

For the latter, I’ll have to make a public publication on the qelp.com website to indicate how we deal with data leaks. I also started writing a “Compulsory Data Liability Act” ( in Dutch: “Wet Meldplicht Datalekken”) on qelp.com in addition to the Disclaimer and the Privacy Statement.

I am working on an overview for the registration of systems and the processing of data. This will still take some time to finish, since there is a lot to cover for this.

Have substantive agreements with our suppliers, specifically about the way in which personal data is handled and how they are protected;

I am gathering the “generic processor agreement” from all external suppliers. However, for some I did not receive anything yet. So for this action point I am actually chasing suppliers to gather and store their processor agreement docs.

For all our customers we need to make a generic “Qelp processing agreement” (in Dutch: “verwerkersovereenkomst”) available which does justice to the way in which Qelp deals with personal data and the way in which it is secured;

For this I am currently writing a concept agreement for our legal department for review, before we distribute with our customers by email.

Related Posts

On-boarding in Seattle

Corona and work

Back to school at Erasmus university (2021)

Leave a Reply Cancel