Because of increasing media attention to data leaks and internet fraud, people are becoming more aware of where their data is stored. The security of IT systems is also getting more attention because of this. In the Netherlands, the regulations for privacy are established in the General Data Protection Regulation, or GDPR. This European law will be formally implemented on 25 May 2018. Julien Spronck, senior manager cybersecurity, and Meryem Sabotic-Deniz, senior manager audit & assurance, of BDO, are advising fresh produce and horticultural companies, among others, on how to prepare. “The privacy legislation was halted for a long time, and a considerable catch up effort is now being made. That requires companies to take action. Making clear agreements will always be better than doing nothing.”
With only six weeks before the GDPR is implemented, some companies are starting to get restless, according to the counsellors. “Companies now know the GDPR is coming, that regulations are quite strict, and that there will be no extension after 25 May,” Meryem says. “Because situations per company can vary rather significantly and terminology can be quite difficult to understand, we get many questions on how to make these regulations practical, so they can be implemented by the companies. We’ve created a six-step plan to that end, for customers to use. Questions asked in that plan include: What sensitive information does your company handle? What are the risks for your organisation?”
“We often start by doing a quick scan of our customer first. It makes a big difference whether the company consists of five or 5,000 FTE, and whether the company is active internationally or just in the Netherlands,” Julien continues. “It’s also difficult to assess how well the regulations can be observed. Perhaps things aren’t as bad as they seem, but it’s a fact that these new regulations will be implemented. The question isn’t how high the fines will be when there’s an offence, but how to show you’re handling privacy-sensitive data in a decent manner as a company. Every organisation works with personal information, so it concerns everyone. A privacy policy doesn’t immediately require bombastic measures, but you do need to write down who you are, what you do and which rights the people have, or you have to explain why you need privacy data, and why you’re storing it, or not.”
“Managements sometimes tend to delegate things like the GDPR to an accountant, for instance, but that’s not supposed to happen according to the law,” Meryem warns. “A manager or chair of the board of directors naturally doesn’t have to figure out everything by themselves, but they are the ones with final responsibility.The GDPR doesn’t have director’s liability for no reason. In practice, we’ve seen projects supervised by managements to be much more successful that when just another commission is appointed.”
“In the fresh produce sector, data quality in particular is a hot issue. Due to tight margins, companies want to realise supply chain optimisation. To that end, much data is collected using multiple tools. Much is registered in the supply chain, but security and knowledge involved is often scant. It’s therefore important to prevent data leaks,” Meryem says. “These things are often in hands of external system operators, although that’s no excuse, because even when you outsource this, you’re responsible for making sure it’s all secure. Sometimes removing back-ups for software suppliers require a lot of work and more adjustments than initially thought. However, this shouldn’t be cause for the IT supplier to drag their heels. We’ve seen many companies still have to work hard in the field of automation in this regard.”
“Customers also experience difficulty with the legal aspects. A processor’s document is considered a legal document, and nothing can change that. We therefore always advise our customers to look their relations in the eye, so that both parties understand exactly what requirements they have to meet. That’s much better than having no agreements only to end up in discussions about who’s guilty,” Julien says. He personally thinks the GDPR is a good step for privacy. “I’m positive about at least 80 per cent of the legislation. It means companies in the supply chain will make agreements about privacy affairs, and I’ve also seen commitment in the chain to do this well. One practical example is that companies often request visas for colleagues who’re going abroad, and a copy of those colleagues’ passports is then made available without asking permission first. Thanks to the GDPR, documents will now be drawn up so that colleagues can give permission to use this data.”
“However, the GDPR isn’t an ironclad law, and it’s much dependent on specific characteristics of the organisation. You can’t just copy a template from another company, but the GDPR forces you to properly look at your own situation. In my opinion, you’re obligated more to make an effort rather than show results. By mapping your own data and privacy policy, you can make a risk analysis about what is and isn’t relevant for your company. The golden rule for this is: use your common sense. If you record agreements and are transparent about this, it might be much work, but at least you’d be halfway!”