25 May 2021 marked 3 years that the General Data Protection Regulation (GDPR) has been in force. By now, the GDPR is well-known to entrepreneurs and consumers alike. Most of us encounter it on a daily basis. Whether we have food delivered, are active on social media, or subscribe to a newsletter. In our digital world, you can hardly do anything without dealing with personal data.
This means that entrepreneurs have an important task protecting their customers' personal data. But that is not always easy or intuitive. In honour of the GDPR’s 3-year anniversary, we spoke with deputy chair and board member of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DPA) Monique Verdier. What impact has the GDPR had on entrepreneurs, what surprised her most in recent years, and what tips does she have. Read on to find out.
GDPR in unexpected places
Verdier starts with a positive observation: "Over the past 3 years, people have really become aware of the GDPR. Everyone knows it exists and that it affects them somehow. Especially since the corona crisis. Entrepreneurs who hardly dealt with personal data before, suddenly had to do so."
Still, implementing the new privacy legislation has proven tricky for many businesses. The GDPR, and with it the task of protecting personal data, can hide in places entrepreneurs do not expect. Verdier: "When the hotel and catering industry suddenly had to keep registration lists, everyone just started doing what they thought was right. The optimal protection of personal data was not the first thing on people’s minds. Suddenly, quite a few things went wrong. For example, a barman really liked a customer and simply called her. After all, he had easy access to her phone number. Of course that's not acceptable. But if you’ve never dealt with such data before, it’s an adjustment."
According to Verdier, making the GDPR understandable to everyone is an important task for the DPA. "Because the DPA has not grown as fast as we expected, we have not been able to provide information on as large a scale as we would have liked. That has our attention now. Large companies or sector associations understand us when we communicate using legal terms. But we cannot expect that from all entrepreneurs. There is a need for information in understandable language. Our SME team can play a role in this, but sector associations are also important partners," explains Verdier. "After all, most people really want to do things right, but don't always know how."
Customer-focused also means: protecting your customers
Although the GDPR can be quite complex, Verdier emphasises that this is not the only reason things go wrong. Even if businesses manage to comply with requirements, they are often not aware of how important it is to protect personal data. "We all take for granted that there are financial auditors to check our books. But we don't have the same attitude towards personal data. Yet it is quite logical, if you think about it. You keep a processing register, so that you track exactly what information you have, and how you use it. Entrepreneurs are often customer-focused, but there is less attention for personal data. The realisation we want people to have, is that the GDPR is not just a requirement to fulfil. In the end, it's about the protection of your customers."
Not a luxury, but a basic right
What surprised Verdier, especially in recent times of crisis, was how privacy was placed at odds with care and security. Because of corona, there was great pressure on institutions and entrepreneurs to act quickly. In the process, data protection was not always carefully considered. Verdier would like to increase the realisation that health and security do not need to exclude privacy. She emphasises: "Privacy is not a luxury, it is a basic right. Physical safety is important, but the same goes for safety on the internet." Privacy threats like credential stuffing and data breaches are steadily increasing, causing large-scale damage. "In 2020, internet fraud and malware cases grew by 30%. This can cause great losses for people."
With a background in healthcare, Verdier also sees how the corona crisis has affected privacy in this sector. "Healthcare institutions have to comply with various laws, which are not always straightforward. In addition, healthcare data is 'special personal data', which means it has to be protected even more carefully. Now, various commercial parties are starting testing companies. If they work without an awareness of this sector and how to treat special data, it can easily go wrong." It is clearly not a question of one or the other: security, care, and privacy must always go hand in hand.
In our digital world, it is tempting to use technological tools that make our lives easier. Entrepreneurship also becomes much simpler and more efficient with the use of various apps and software. Verdier warns: "This usually saves money, but it can also pose great risks. In that way, it brings invisible dangers for both entrepreneurs and customers. Physical safety is easier to keep an eye on than invisible digital threats."
She continues: "It is important to make ethical considerations and handle data with care. Try to put yourself in the shoes of your customers, and consider what your choices mean to them. We recently gave a supermarket a formal warning, because they used facial recognition software. It is understandable that you want to protect your business against fraud, but that does not outweigh the privacy of your customers."
"Another example is the municipality of Enschede. For the purpose of measuring the effects of municipal investments, they wanted to keep track of the number of people in the shopping streets. The municipality did this via wifi-tracking. This is not allowed and was also unnecessary for their purposes. Counting people is allowed, tracking them is not. So, it is important to think carefully about the system you apply. Facial recognition and wifi-tracking are only allowed in very limited cases," Verdier explains.
GDPR tips for entrepreneurs
According to Verdier, it is mainly the ‘right to be forgotten’ that causes problems for entrepreneurs. "Customers can request to inspect their personal data that you have stored. They can also request that you delete this data. Often there is little or no response to such requests from entrepreneurs. But it could be very simple, if you keep your processing register up to date." Verdier also understands that it may be an adjustment for entrepreneurs: "After all, you started your own business so that you would not have to work for others. Legal requirements can then feel like a real nuisance." That is why Verdier advises to not see the GDPR as an obligation, but as a service to the people you are really doing it for: your customers.
Verdier also emphasises that you cannot know everything. It is important to seek help, which is widely available. "Join a sector association, that really pays off. They have step-by-step plans to help you meet the basic requirements. Make a good risk analysis from the start, for example with a Data Protection Impact Assessment (DPIA, in Dutch). Ensure that you integrate privacy into everything you do, so it becomes second nature. We call this privacy by design, but it goes beyond the design of your products, services, and procedures. It starts with your own thought process."
The Dutch DPA: looking ahead
Looking to the future, the Dutch Data Protection Authority has identified 3 themes that will be given focused attention in their work. Verdier briefly explains each point:
- Digital government - "With the government you have no choice. As a citizen, you have to do business with the government. So it's important that government institutions comply with the GDPR."
- Data trade - "Data has value, which is why it is sold. We are working hard to monitor and combat such trade, because it poses high risks for data protection."
- Artificial Intelligence - "This is extremely complicated stuff. There have been wonderful studies, where a slightly alternative, female ICT expert on the other side of the world got an assignment to build an algorithm. That same assignment was given to a conventional white man from the Netherlands. You would expect two similar algorithms, but they were very different. They each revealed their builder’s bias, which could bring the risk of discrimination. So it is important to be careful, and not allow algorithms to discriminate based on special personal data."
The Dutch DPA has already imposed at least 10 hefty fines and will certainly continue its role as monitor and enforcer. However, it is clear that the DPA’s main focus is to support and protect institutions and individuals from serious dangers. "We're really not just here to say: ‘You did that wrong, here's a fine.’ Our job is also to collaborate and see what we can do to help institutions and companies better meet their obligations. Through our efforts, institutions have increasingly started to see us as a partner, rather than a watchdog," Verdier concludes.