“In the Netherlands and across the world, businesses and institutions increasingly depend on data for their business operations. However, this data-driven approach also involves taking account of ever stricter privacy regulations that can often be seen as a burden. Despite this, it’s worth taking the time to get to grips with the upcoming European privacy regulation. Not only as a way of avoiding hefty fines and damage to your reputation, but above all because it can enhance the long-term value of your data and your organisation, thereby increasing your opportunities for innovation,” says Elisabeth Thole, partner and head of the Privacy Team at lawyers’ firm Van Doorne.
“Privacy compliance has never been the sexiest of subjects. It’s not like a new toy that you can immediately use to attract more customers,” says Thole. “Most companies are now aware that they need to address the privacy issue, but generally feel overwhelmed by all the rules. It’s far from the top of their list of priorities. There is still a lot of ambiguity and the benefits are not obvious at first glance. For example, compliance does not mean that you will suddenly start selling more products. Worse still, many people are careless in the way they handle their own data, which raises the question of who it is that really needs privacy protection in the first place.” Nevertheless, it makes good sense to create awareness of long-term privacy compliance because, according to Thole, it will be worth it in the end.
Preparing for the GDPR
In preparing for the new privacy rules in the General Data Protection Regulation (GDPR), organisations face quite a challenge. “The transition to the GDPR should certainly not be underestimated”, says Thole. “There are already numerous privacy rules in place and there will be more to come. You can compare it to a three-stage rocket: more obligations for businesses and organisations that work with personal data, more rights for the individuals involved and more focus on enforcement.”
Recent research has shown that many organisations have so far done little to comply with the GDPR. “In my practice, I have noticed that major multinationals in particular are well on track, but even in these large companies, there is still a lot of missionary work to be done.” Thole finds it remarkable that most companies and institutions often do not ask for advice about privacy until they are implementing a new CRM system or have just had a data leak. “They prefer to push the bigger picture of the GDPR further down the road. The question is therefore whether they will actually be ready on time and be able to reap the benefits of a long-term data-driven approach.”
A long-term approach to personal data
The consequences of non-compliance with the GDPR are plain to see. Failure to comply with the key obligations can result in fines of up to € 20 million or 4% of worldwide annual turnover. Thole: “You might describe these fines as scary, but they are actually quite similar to the warnings on cigarette packets. We are all aware that we need to change, but still continue on the same path. The question is whether hefty fines will actually encourage organisations to change their behaviour.”
Thole believes that the fear of reputational damage may be more of an incentive for organisations to comply with the GDPR. “Audits conducted by the supervisory authorities are generally made public. Of course, that attracts negative attention. It would be even better if organisations started to realise that if they do not collect the data in the right way, they will no longer be permitted to use it. If your business operations depend on data, that leaves you with a big problem.”
The intricacies of privacy regulation call for the right specialist approach. Thole: “In our Privacy Team, we can work with clients to identify the approach that is the best match for their organisation. In this, it is relevant to determine clearly in advance what the client aims to achieve. The structure of our team means that we can be deployed across the various different sectors. Thanks to our experience, we can guide organisations pragmatically towards the finishing line, as well as ensuring they continue to comply with the GDPR after that. This is the only way of being sure that you take advantage of all your opportunities for innovation in the long term.”
This interview was previously published on Mijnzakengids.nl.