GDPR Update

The GDPR has come into force, are we feeling its effects yet?

After years of preparation, the GDPR finally came into force on May 25, 2018. Are we noticing anything about its enforcement yet? Time for an update.

Overflowing inboxes

One thing that cannot have escaped your notice is the billions of emails that were sent to EU citizens in the days, hours, sometimes even minutes, no: seconds before May 25th. “Read our new privacy statement”; “Approve our new privacy statement!”; “Please reconfirm your opt in”. Some of the senders tried the chummy apologetic approach: “Yes, we are also sending you an email about privacy, sorry”. But you could read their fear and insecurity in between the lines. They found a bunch of email addresses in their database and didn’t have a clue if they had a valid opt in, or they were badly advised and sent an email ‘just in case’.

Maybe you were that marketer who, spooked by all the media reports about the GDPR, launched a last minute campaign to explain your new privacy policy to everone in your database. You probably only succeeded in triggering indifference or annoyance in your recipients. According to ICT Recht, a Dutch legal consultancy, you may even have broken the law doing this. That probably wasn’t the intention.

Would it have been sufficient for most organisations to publish their updated privacy policy on their website= Yes, because you don´t need to personally hand your privacy policy to all your customers. It should be easy to understand, and easy to find. That´s all. just make sure people can read it before they hand over their personal data and you will be compliant with the GDPR.

Smart solutions and cunning con artists

In the no mans’s land between the GDPR taking effect and the first legal cases/sanctions many businesses have sprung up offering smart solutions for, for instance, the processing register; processing agreement; risk assessment; cookie consent etcetera. Very convenient if you don’t have the capacity or skills to do this yourself.

The Dutch regulating authority, the Autoriteit Persoonsgegevens, however, also warns against fraudsters trying to sell bogus GDPR certifications or enforce fines. Unfortunately, some organisations will fall for these scams.

What the Autoriteit Persoonsgegevens is doing

About 600 people have filed a complaint with the Autoriteit Persoonsgegevens (AP) sofar. The AP is investigating these, which may take some time. They report a lot of complaints are about the right to have personal data removed. Maybe that aspect of the GDPR was neglected a bit in favour of the attention payed to consent. Many organisations appear to be unable to delete data from their database within reasonable time.

The AP has also concluded that many (semi) public services are not up to scratch with their compliance. It has condemned the Dutch Tax Service for using the social securtiy number as part of the VAT number for small businesses with a sole proprietor.

In June, the AP sent a letter to explain the legal framework for processing data obtained by cameras in digital billboards to the operator. Although it would in theory be possible to get consent for the processing of personal data obtained in this way, the operator elected to disable all cameras in its billboards for the foreseeable future.

Ongoing project

May 25 was only the beginning. In the next few years, tmore facts will emerge about the interpretation of the GDPR from various regulatory bodies. And, of course we are still waiting for the new ePrivacy Regulation.
To be continued …


This website uses functional cookies and trackers to gain insight in visitor behaviour.