As a multinational law firm, Fieldfisher LLP has over 400 lawyers from London to Milan, Paris to Shanghai. Based in the Amsterdam office, Ady van Nieuwenhuizen, IP/IT/Privacy Partner at Fieldfisher discusses how the GDPR is now dominating business conversations and why technology is aiding compliance now that data privacy laws have heightened.
Ady, thanks for joining us at DocuSign’s GDPR event in Amsterdam recently. What were the conversations like there?
People were wondering what to do and enquiring as to whether the GDPR applies in the Netherlands. They seemed to think May 25 was going to be D-Day, but I advised them not to be too worried as the regulator won’t start enforcing sanctions right away. There will be more guidance provided in the first year of the GDPR taking effect as there are still areas that aren’t clear yet.
It sounds like there are a lot of grey areas in the regulation?
The regulation is quite vague on certain points and there are a lot of open norms. While it is implemented in the Netherlands and is or will be other EU member states, some of the old open norms of the previous data protection law in the Netherlands will stay the same.
We do not know how things will work out with data portability and the right to be forgotten, for example. The regulator has promised to provide us with more guidance. The Dutch data protection authority just started with some investigations regarding the processing register. For the rest, we have to keep calm and wait.
So, we’re in a ‘cooling off’ period now since May 25th?
Yes, especially in the Netherlands. Our parliament and data protection authorities have not mentioned a timeframe but have said they will provide further guidance and won’t be imposing fines or enforcement right away. Although the DPA just started an investigation.
Recent UK Government research showed that two-thirds of UK businesses still hadn’t heard of the GDPR, and three-quarters of those who had, hadn’t done anything about it. Is that what you’re seeing in the Netherlands and, if so, what do you think the implications will be?
I think companies in the Netherlands are in a similar situation. The big companies have been trying to get GDPR-ready for the last two years, but the smaller companies are getting a little bit nervous now. Then there are those who will wait and see if the authorities start imposing fines before seeking advice. The government is advertising that the GDPR entered into force and making announcements online and on the radio to raise awareness.
How do you see technology playing a role in providing solutions to aid compliance?
Technology and privacy always go together if the technology makes business easier. Things like data mapping and data portability and forms for subjects who want to use their rights to request to remove or amend data are most likely to benefit from third-party solutions.
What advice would you give to our readers who are working through their data privacy practices?
Better to be safe than sorry. Often, people I speak to don’t realise that the impacts of GDPR go beyond just the board-level. The compliance efforts have to come from the entire company. Data security is really important. People will think, “It won’t affect me. I’ll never open a file with ransomware or lose my laptop,” but it can happen to anyone. Everyone in your company should know about the GDPR and be helping to keep the business secure.
We always tell clients to be as ready as possible. Your data mapping, data processing agreements, and breach agreements should be prepared. Try to have your security measures ready. Sometimes practices only need fine-tuning. In the event of a data breach, for example, you need to show the data protection authorities that you’ve done everything you could and were compliant, and not willingly infringing the law.
Thanks for your insights, Ady!
To find out how DocuSign can aid your GDPR compliance, contact us.