“If you look at the latest change to the privacy statement on any website, you will see that the last change often dates from early 2018: the moment that the GDPR officially replaced the Dutch Act “Wet bescherming persoonsgegevens” (Personal Data Protection Act). That shows how the GDPR lives in companies,” says Jeroen Bosch van Rosenthal of DPO Consult. “Particularly in terms of a DPO, things are still a bit off.”
Since the introduction of the General Data Protection Regulation (GDPR) in 2018, companies that ‘regularly and systematically’ collect personal data and do so on a large scale must appoint a Data Protection Officer (DPO). “Every company that has a webshop or lets customers log in to a website is collecting personal data. The apointment of a DPO is mandatory, if a company does this regularly and on a large scale (it is generally assumed that the data of 5,000 people or more is involved).
Unfortunately, we see that many companies do not appoint a DPO. Therefore they do not comply with laws and regulations while the fines for not complying with the GDPR can be extremely high,” continues Bosch van Rosenthal. The fine can be as high as 20 million euros or 4 percent of annual turnover. “Incidentally, enforcement is lacking. So there also seems to be little pressure on companies.” Nevertheless, Bosch van Rosenthal emphasises the importance of a DPO
“If a data breach occurs and you don’t have your affairs in order, it will also cause you enormous damage to your reputation, not all insurance companies will pay out and parties can claim damages because the company simply didn’t comply with the rules. It also seems to me that the management in such a case has its trousers on the proverbial ankles.”
An independent view
But what exactly does a DPO do? “A DPO is an independent person who looks from the outside at how the GDPR is implemented within an organisation. This concerns both IT security and processes within the company and those of third parties. Take, for example, an employee losing a USB stick containing personal data. Was it necessary to put that data on a USB stick and take it home? As a DPO, you make a risk analysis and provide advice and possible actions for improvement,” explains Bosch van Rosenthal. “But a DPO does not carry out the actions himself. That is the task of the company or organisation. Otherwise the butcher would be judging his own meat.
And that is exactly what the GDPR is intended to prevent.” To ensure that a DPO can do his job independently, a number of protections have been included. “You can’t just fire a DPO for doing his job and pointing out shortcomings to management, just as you can’t do the same with a member of the works council or employee participation council.”
Large organisations generally employ a DPO, but for smaller companies it is often difficult and too expensive to free up someone entirely for such a role. DPOs are often hired for this reason. “We provide certified DPOs who periodically assess the state of affairs and provide advice on this. The advice goes to management, but we also talk to other employees to see where things could be improved. But the starting point is always the risk analysis,” says Bosch van Rosenthal.
Trust Guard GDPR report
One of the ways of analysing the risks of websites, in addition to using a DPO, is to use the website security scan from Trust Guard. In addition to a simple free website scan on the use and validity of SSL certificates and other checks, Trust Guard also supplies in-depth (vulnerability) scans including reports in accordance with many standards including an GDPR version. With these periodic scans and reports, you can prove that you are doing everything possible to comply with the GDPR.
“We have approached many organisations to ask how they are doing with GDPR compliance. It turns out there is still quite a bit of work to be done for most of them. A DPO is the right person to help you with that. To get the process started, to keep track of it, but also to meet the requirements set by the legislator,” concludes Bosch van Rosenthal.
Related links
