Dutch companies not ready for GDPR despite approaching deadline
Organisations in the Netherlands are racing towards General Data Protection Regulation compliance, but there is still much to be done
Companies in the Netherlands are only partly ready for the country’s version of the EU’s General Data Protection Regulation (GDPR) after specific regulations for the Netherlands were released by a privacy watchdog.
Like most EU countries, the Netherlands will see the GDPR come into effect towards the end of May this year. This will happen in the form of the Algemene Verordening Gegevensbescherming or AVG, as it is better known.
Although the GDPR rules have been known for some time now, the precise way the law will be implemented in the Netherlands has been largely an unknown quantity until recently.
In a European context, what happens in the Netherlands is of interest to many because the country is home to the headquarters of many tech giants that often rely on customer data. The likes of Uber, Facebook and Apple have set up shop in the Netherlands partly because of its liberal tax laws.
Uber recently came under fire after a massive data leak was discovered and subsequently covered up. Its European headquarters are in Amsterdam, so the Netherlands will lead a taskforce of privacy watchdogs in Belgium, Germany, France, Italy and Spain to investigate the breach.
Compliance with the AVG is supposed to make Europe’s privacy guidelines easier to implement, which should help multinational companies have consistent policies across countries. At least, that’s the theory. In practice, many multinationals struggle with such implementations and even run into more problems than the guidelines can solve.
That concerns the EU’s decision to have uniform policies across countries, and that those countries should implement further legislation on top of the GDPR. That means companies doing business abroad often have to comply with multiple laws.
Align privacy policies
For large multinationals such as Heineken, this might be a problem rather than a solution. “Now we not only have to align our privacy policies across 27 different countries, but also check if those individual countries are calling for additional regulation,” said Heineken’s privacy officer, Anna den Hartog. “We try to leave such local regulation to local lawyers, but it can still be difficult to make sure we comply with all the international rules.”
Under the GDPR, companies can be fined up to €20m or 4% of their annual revenue if they fail to comply. In the Netherlands, the national privacy watchdog, AP (Autoriteit Persoonsgegevens), is tasked with fining violators.
But the AP has not escaped criticism. Aleid Wolfsen became chairman of the Dutch Data Protection Authority in 2016. A career politician with little or no background in privacy, he promised that “this watchdog will finally get its teeth”, hinting at steep fines for companies that break the law. But to date, only a few fines have been handed out, none of them major.
Now the AVG implementation could provide the AP with the perfect opportunity to start handing out fines, although some critics say it should have done so before.
Data breach protocols
The Netherlands has had fairly strict privacy laws for years. Since January 2016, companies in the country have been compelled to report data breaches to the privacy watchdog. That obligation will come on top of the AVG when it is implemented in May. Privacy watchdog AP will also have more comprehensive authority to fine companies after that date. But critics are sceptical whether the AVG will result in more fines, because AP has had the power to impose penalties for more than two years.
Many specifics about the AVG implementation have been shrouded in uncertainty for a long time. It was, for instance, unclear which agencies would be responsible for certain tasks.
Then recently, minister of justice and security Sander Dekker issued the Implementation Law AVG, a document outlining tasks and responsibilities for the privacy watchdog and other (semi) government bodies.
Much of the new regulation is the same as the Netherlands’ current, strict laws to protect consumer privacy. New is the obligatory data portability clause, which enables civilians and consumers to request government bodies and companies to reveal what data is collected on them in an “open, standard format”.
Although the AVG reveals few surprises, experts see one problem in the e-privacy regulation that is supposed to take effect simultaneously with the new law. E-privacy regulates the protection of digital communication for consumers, which differs from the AVG, which is applied more broadly to data collection.
The problem is, which organisation will be responsible for overseeing e-privacy in the Netherlands? The European Parliament and the European Union would want that task performed by the same authority that oversees the AVG implementation, which in the Netherlands would be the AP. But at the moment, the ACM (Autoriteit Consument & Markt) is already mandated to do just that.
In an explanatory memorandum, Dekker said there is an overlap in duties for these bodies, but that it is basically “up to them to handle this from case to case”.
The AP will receive a mandate to work with other watchdogs, such as the Dutch National Bank and the AFM.
Not quite ready
Many experts have tried to quantify whether companies in the Netherlands are ready for the AVG to come into force. About a year ago, PwC’s Privacy governance report reviewed 350 companies in the country and found that only about 12% were adequately prepared for the new law.
A large percentage of companies did not even have adequate rules in place to comply with the Meldplicht Datalekken, the Dutch law that has been in place since January 2016 which compels companies to notify the watchdog when a data breach has taken place.
The situation has not moved on enough in the past year. A report called the National privacy benchmark showed in late November that 80% of companies were still not compliant with the new law.
One positive effect of companies’ poor preparedness is a burgeoning industry of certificate providers, educators and coaches that are more than willing to help organisations transition to AVG compliance. Crash courses for managers in the new privacy policies that every company must have in-house are proving a very good business opportunity.