Current state of affairsMany organisations have already made a start with complying with the new rules and putting in place the prerequisites, by finding out what they need to do. To this end, they have attended seminars, read articles or engaged expertise. Many organisations have adopted the recommendations and appointed a DPO (Data Protection Officer).
Not only the business community but also the government has become aware of the steps they need to take. Educational institutions are more aware of what is coming their way and organising internal awareness sessions. They are giving more attention to privacy (for example, by requesting approval for the publication of photos) and have also placed security higher on their agenda.
But many other organisations, such as utilities companies and the Tax and Customs Administration, still have a lot to do. At the Tax and Customs Administration, deficiencies have been found in the compliance with the new law. Work is ongoing and measures have been taken to remedy these deficiencies. Other measures are still in the pipeline. The Tax and Customs Administration has asked for one more year to comply with the rules.
And what about the regulation? The competent regulator, the Dutch Personal Data Authority, struggles with internal turmoil and an exodus of experienced people. It appears to be a toothless watchdog. Tellingly, it has had the authority to act for more than two years but has made virtually no use of it powers. The success of the GDPR depends on the effectiveness of the regulator.
What to doWith the introduction of the GDPR, the EU is leading the way on data privacy. Companies, government bodies and regulatory authorities are working on handling personal data correctly. The necessity of this was clear to everyone. We have undeniably had a difficult start when it comes to the introduction of this law and the role and resources of the regulator.
The old way of thinking and governing is running up against new technology and possibilities. To avoid constantly falling behind, we will need to adopt a different approach.
In the meantime, it’s advisable to do your homework. Organisations are in contact with customers/consumers and should handle customer data with due care. So you should request permission to retain data you have gathered already and/or clean up your customer database (Deletion by default).
You should apply the Privacy by Design frameworks in a clear manner in your current and future IT projects. And you should draw up the necessary data processing agreements and also think preventively about how you can effectively create a customer file (Right to Access).
The GDPR requires more than simply complying with rules. It’s all about complying with the customer’s wishes: more transparency, more clarity and respectful handling of personal data. See it as an opportunity and distinguish yourself!
The introduction of the GDPR has a grace period. An extension of this grace period has been requested, but the GDPR will eventually be enforced!