“If you look on any website for the last change to the privacy statement, you will see that the last change often dates from early 2018; the moment the GDPR officially replaced the Personal Data Protection Act (PDPA). That does indicate how alive the GDPR is with companies,” said Jeroen Bosch van Rosenthal of DPO Consult. “Particularly in the area of a DPO, there are still some gaps.”
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, companies that ‘regularly and systematically’ collect personal data and do so on a large scale must appoint a Data Protection Officer (DPO). “Every company that has a webshop or lets customers log in to a website is collecting personal data. The apointment of a DPO is mandatory, if a company does this regularly and on a large scale (it is generally assumed that the data of 5,000 people or more is involved).
Unfortunately, we see that many companies do not appoint a DPO. Therefore they do not comply with laws and regulations while the fines for not complying with the GDPR can be extremely high,” continues Bosch van Rosenthal. The fine can be as high as 20 million euros or 4 percent of annual turnover. “Incidentally, enforcement is lacking. So there also seems to be little pressure on companies.” Nevertheless, Bosch van Rosenthal emphasises the importance of a DPO.
“If a data breach occurs and you don’t have your affairs in order, it will also cause you enormous damage to your reputation, not all insurance companies will pay out and parties can claim damages because the company simply didn’t comply with the rules. It also seems to me that the management in such a case has its trousers on the proverbial ankles.”
An independent view
But what exactly does a DPO do? “A DPO is an independent person who looks from the outside at how the GDPR is implemented within an organization. This involves both IT security, as well as processes within the company and those of third parties. Take, for example, personal data put on a USB stick that an employee loses. Was it necessary to put that data on a USB stick and take it home? As a DPO, you make a risk analysis and provide advice and possible improvement actions,” Bosch van Rosenthal explained. “But a DPO does not implement the actions himself. That is the job of the company or organization. Otherwise, the butcher would then be judging his own meat.
And that is exactly what the GDPR is designed to prevent.” To ensure that a DPO can do his job independently, a number of protections are included. “You can’t just fire a DPO for doing his job and pointing out deficiencies to management, just as you can’t do the same to a member of the works council (OR) or employee participation council (MR).”
Large organizations generally employ a DPO, but for smaller companies it is often difficult and too expensive to fully free up someone for such a position. DPOs are often hired for this reason. “We provide certified DPOs who periodically review how things are going and make recommendations accordingly. The advice goes to management, but we also talk to other employees to see where things could possibly be improved. But the starting point is always the risk analysis,” Bosch van Rosenthal says.
Trust Guard GDPR report
One way to analyze website risks, in addition to deploying a DPO, is to use Trust Guard’s website security scan. In addition to a simple free website scan on the use and validity of SSL certificates and other checks, Trust Guard also provides in-depth (vulnerability) scans including reporting in accordance with many standards including a GDPR version. With this periodic scan and reporting, you can demonstrate with respect to website security that you are doing everything possible to comply with the GDPR.
“We have approached many organizations asking how they are doing with GDPR compliance. It turns out there is still quite a bit of work to do for most. A DPO is the right person to help you with that. To set the process in motion, to keep track of it, but also to meet the requirements set by the legislator” concludes Bosch van Rosenthal.
Related links
– In collaboration with DPO Consult (www.dpoconsult.nl)