GDPR: Dutch companies think they are well on track

Dutch companies think they are reasonably on track with the preparations for the General Data Protection Regulation (GDPR) or General Data Protection Regulation (AVG). This is shown by a tour of members of the DDMA. The legislation that goes into effect from May next year has a major impact on companies and their data processing

Dutch companies think they are reasonably on track with the preparations for the General Data Protection Regulation (GDPR) or General Data Protection Regulation (AVG). This is shown by a tour of members of the DDMA. The legislation that goes into effect from May next year has a major impact on companies and their data processing.

International studies often show that companies find it difficult to take concrete steps. Companies are more positive in the Netherlands. A good number think well on schedule, according to a survey by the DDMA among 75 of the members. "We mainly talk and plan", says Matthias de Bruyne - Legal Counsel at the branch organization. "But about a third says it is well on track. That more than half has yet to start, does not disappoint me. There is still a lot of work to be done, but the subject is on the agenda. "

Half of us busy with plans

Companies often burst from the data, data for which new rules will apply from next year. From May next year, the new European Data Protection Act will come into effect. In no organization may things such as data processing, 'the right to be forgotten', data portability and the obligation to report data leaks still have secrets. With the entry into force of GDPR, companies are reminded that they must collect and store customer data in a transparent manner. Internally, but also with the parties that take them in their arms. The importance of the latter was recently underlined once hotel reservation system Saber leaked the personal and payment details of several large hotel chains.

GDPR believes that GDPR is an important subject for companies, according to experts. The GDPR consists of a large number of changes - described in detail in a Bird & Bird report and summarized in this piece of the DDMA at Emerce.

The Dutch who completed DDMA's survey say at least that they understand what is changing and what consequences this has for their work and company. Slightly more than half call their own knowledge level average, 41 percent say they are well informed. This assessment is reflected in how one thinks about the internal status. Almost half (47 percent) say they are busy with plans, 36 percent say they are on schedule. A small seven percent still says to run after the facts, the same number has no plan yet.

When asked about the most important issues, 'data from old systems (legacy data)' is most often mentioned. As actions, the preparation of a privacy impact assessment for marketing campaigns, updating of the privacy policy and the administrative duty are still on the agenda.

Internal housekeeping and processes

Although the law already prescribes that consumers have the right to access the stored data, two impactful elements are added. The customer can ask which data has been stored and where that data is located. Whether the data is in a CMS, reservation system or customer database, the customer has the right to know how long the data is already there, what information is stored and for what purpose.

But apart from the fact that companies have to offer access, they are now obliged to provide 'the right to be forgotten'. In addition, companies must take measures for data portability. If a user of a home rental site wants to move all the information and photos of his holiday home to a competitor, it must 'help'. Data must be exportable in a machine-readable format.

In addition to internal housekeeping, many processes between partner companies must also be revised. If data is shared with a data processor (which handles the processing) then all of the above also applies to that data.

Slightly less drastic are the general duties that companies receive. Companies that have data as core business must appoint a Data Protection Officer (DPO) as internal supervisor. There are also slightly stricter requirements for the registration of data leaks. They must all be documented. As far as the DPO is concerned, the advice is to have it work independently. That person should especially be given the space to monitor and influence internal processes and techniques used.

"Data security is a philosophy, not a box that you have to check off quickly, " said William Beckler, the former CTO of LastMinute.com recently. For example, of his own branch, the travel world, he said that the industry is confronted with the new rules at the right time. Especially because many companies now have so much data that they are an interesting target for hackers.