The General Data Protection Regulation (Dutch: AVG – Algemene Verordening Gegevensbescherming) comes into force on 25 May 2018. And while Dutch companies already must deal with many privacy and security-promoting rules, both national and European, a glance at what’s coming is enough to make clear that these are set to become significantly stricter. Organisations really do need to start getting ready now.
The rapidly approaching deadline is a cause of anxiety for more and more companies. They are unsure of the scope of the law, the steps they need to take and the impact the law will have on their daily work. The session looked at these three issues with presentations by privacy consultant Alexander Singewald, Valtech legal consultant Marieke van Dijk and Valtech digital marketer Dennis Nieuwstad.
First, Alexander Singewald made clear the impact the new legislation would have as he sped through the forest of new rules and obligations. In particular, he pointed out that the stricter definition of personal data would increase the impact of the regulations compared with the situation today. In the future, even data that enables indirect identification will fall under the new law.
In addition, the EU is also introducing accountability. This means that organisations must be able to show all the steps they have taken to safeguard personal information. This includes an obligation to provide clients with comprehensive information about how their data will be used. The number of worried-looking faces in the auditorium increased sharply as Singewald showed a series of slides outlining the kind of information that will fall under this obligation to inform.
GDPR as an action plan
Next up, legal consultant Marieke van Dijk cut a swathe through the regulations. Van Dijk, who earned her spurs in data processing in the health care sector, suggested the new law should be seen as an opportunity and an action plan, with separate rules as handy tools. The logical place to start, she said, was for organisations to make an inventory of the measures they had already taken to protect their sensitive data.
Another point she made was the need to recognise that human failure is by far the biggest risk factor, and that for this reason alone, no organisation can totally rule out data risks. Van Dijk therefore considers creating awareness among employees as central to good data protection. As long as you can mobilise employees and procedures quickly in the event of a data breach, and your organisation is set up to learn from mistakes, you should have little to fear from the Dutch Data Protection Authority.
Concrete touch points
The new law opens up interesting opportunities for other organisations, too. After all, why jump through hoops gathering data online, when you can simply profile existing customers when they make a purchase or sign a service contract? According to Nieuwstad, however, there is a more fundamental consideration: do you, as an organisation, just want to comply with the new legislation to avoid sky-high fines, or do you approach this as an opportunity to distinguish yourself through your customer orientation?
Like Marieke van Dijk, Nieuwstad believes that organisations should see the new legislation not as a restriction but as a chance. An opportunity to place the interests and needs of the customer even more emphatically at the centre of their organisations. After all, the digital economy demands significant trust from the consumer, a trust that has been undermined too often in recent years. It’s up to the organisations involved to restore that trust.