Interview: GDPR will give Dutch privacy watchdog its teeth

The Netherlands’ privacy watchdog, Autoriteit Persoonsgegevens (AP), has been criticised in the past for its lack of action on data breaches.

Chairman Aleid Wolfsen has often said that the AP will “finally start showing its teeth” and threatened to fine companies that do not comply with the Netherlands’ privacy laws – but this hasn’t happened so far.

The watchdog has had a mandate to fine offenders since January 2016. Since then, companies in the Netherlands have been obliged to report data leaks. The number of reported leaks has exploded in the past year, with 10,000 in 2017 compared with 5,849 in 2016. 

But despite its mandate, the watchdog has yet to impose any penalties. It says it started 635 investigations in 2017, most of which are ongoing. “Under the current obligation to report data leaks, the AP can only hand out fines where data was leaked maliciously,” Wolfsen tells ComputerWeekly. “So far, we haven’t found evidence that that has happened.”

This ought to change when the EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May, says Wolfsen. “Two things will happen – fines will go up, and the bar to hand them out will go down. Under the GDPR, we can fine companies when they don’t take proper precautions to safeguard data, so intent is no longer the deciding factor like it is now.”

Wolfsen does not want to say exactly what will happen after 25 May. Fines are coming, but for who? He cannot say, but speculates that it might be a high-profile cases.

Wolfsen mentions a recent case where saunas were caught filming customers, and it was later discovered that some images ended up on pornographic websites. It is cases like these that Wolfsen hints should be investigated soon – and quickly. 

On the other hand, the watchdog finds it hard to say whether companies in the Netherlands are ready for the GDPR, and expects a final sprint to compliance. “What can you say?” says Wolfsen. “People naturally postpone these kinds of things.”

But that doesn’t mean the AP is sitting on its hands. The watchdog launched a website called hulpbijprivacy.nl, where organisations can use a step-by-step tool to see what to do to comply with the law. “If companies follow that tool, they should be compliant,” says Wolfsen.

Other than that, the AP tries to allow GDPR awareness to trickle down from groups it is in close contact with. “We work together with branch organisations to stay in touch with companies and to educate them on the upcoming regulation,” he says. “Some are more involved in that than others.”

Recent research showed that many small companies in the Netherlands are not ready for the GDPR.

Another important link between the privacy watchdog and the business world are data protection officers (DPOs), who must be appointed by government institutions and companies working with “special personal data”, such as people’s social security numbers or medical data. “We rely heavily on DPOs to update us on how companies handle data protection,” says Wolfsen.

The presence of a DPO in organisations is one of the first things the AP will check when the GDPR comes into effect, he says. “From day one, it’s going to be simple – we will check whether companies have a DPO if they are required to. If they don’t, we’re going to take action.”

Wolfsen declines to say what kind of action that might be. Fines are a possibility, but the AP is known to show leniency in such matters, warning a company rather than fining immediately.