The GDPR has come into force, are we feeling its effects yet?
After years of preparation, the GDPR finally came into force on May 25, 2018. Are we noticing anything about its enforcement yet? Time for an update.
One thing that cannot have escaped your notice is the billions of emails that were sent to EU citizens in the days, hours, sometimes even minutes, no: seconds before May 25th. “Read our new privacy statement”; “Approve our new privacy statement!”; “Please reconfirm your opt in”. Some of the senders tried the chummy apologetic approach: “Yes, we are also sending you an email about privacy, sorry”. But you could read their fear and insecurity in between the lines. They found a bunch of email addresses in their database and didn’t have a clue if they had a valid opt in, or they were badly advised and sent an email ‘just in case’.
Smart solutions and cunning con artists
In the no mans’s land between the GDPR taking effect and the first legal cases/sanctions many businesses have sprung up offering smart solutions for, for instance, the processing register; processing agreement; risk assessment; cookie consent etcetera. Very convenient if you don’t have the capacity or skills to do this yourself.
The Dutch regulating authority, the Autoriteit Persoonsgegevens, however, also warns against fraudsters trying to sell bogus GDPR certifications or enforce fines. Unfortunately, some organisations will fall for these scams.
What the Autoriteit Persoonsgegevens is doing
About 600 people have filed a complaint with the Autoriteit Persoonsgegevens (AP) sofar. The AP is investigating these, which may take some time. They report a lot of complaints are about the right to have personal data removed. Maybe that aspect of the GDPR was neglected a bit in favour of the attention payed to consent. Many organisations appear to be unable to delete data from their database within reasonable time.
The AP has also concluded that many (semi) public services are not up to scratch with their compliance. It has condemned the Dutch Tax Service for using the social securtiy number as part of the VAT number for small businesses with a sole proprietor.
In June, the AP sent a letter to explain the legal framework for processing data obtained by cameras in digital billboards to the operator. Although it would in theory be possible to get consent for the processing of personal data obtained in this way, the operator elected to disable all cameras in its billboards for the foreseeable future.
May 25 was only the beginning. In the next few years, tmore facts will emerge about the interpretation of the GDPR from various regulatory bodies. And, of course we are still waiting for the new ePrivacy Regulation.
To be continued …