Due to the increasing media attention for data leaks and internet fraud, people realize more than ever where their data is stored. The safety of IT systems is also in the spotlights. In the Netherlands, the privacy rules are laid down in the “Algemene Verordening Gegevensbescherming” (AVG). This European law (originally the General Data Protection Regulation (GDPR)) will be formally effective as of May 25, 2018. Julien Spronck, senior manager cybersecurity, and Meryem Sabotic-Deniz, senior Manager Audit & Assurance of BDO, advise companies (lots of them being agri and food companies) how they can prepare themselves. “Companies didn’t focus on implementing the privacy legislation internally and now there is a lot of catching up to do. That demands action!”
With four weeks to go before the AVG, the advisers notice, some companies are getting nervous. “Companies now know that the AVG is coming, that the rules are fairly strict and that there will be no extension after 25 May,” Meryem says. “The situation can vary a lot per company and the terminology is difficult to understand for many companies. We get a lot of questions about how we can make this regulation practical, so that companies can apply it. That is why we have made a six-step plan to get started. Questions that come up for discussion are: What sensitive information do you have as a company? What are your risks for the organization, etc. ”
Quick Scan
“We often start by making a quick scan of our clients, because it makes a difference whether it consists of five or five thousand FTEs and whether the company is active internationally or only in the Netherlands”, Julien continues. “It’s hard to judge how strict the law is going to be in the end, perhaps it will not be as strict as expected. And the question is not how big the fines will be in case of a violation, but that you as a company can demonstrate that you deal with privacy-sensitive information in a decent manner (privacy policy). Because every organization works with personal data, it affects everyone. A privacy policy does not require you to think of complicated things, but you have to have on paper who you are, what you do and what rights people have. Or you have to explain what you need privacy information for and why you do or do not store it. ”
“Management boards are sometimes inclined to delegate matters such as the AVG to the accountant, for example, but that is not the intention and not according to the law,” Meryem warns. “Of course, a director or chairman of the board of directors does not have to find out everything himself. However, he or she ultimately bears the responsibility. There is a management liability attached to the AVG for a good reason.”
Data quality is an issue
In the agri and food sector the data quality in particular is a hot issue. “Because of the tight margins, companies want to realize chain optimization, for which a lot of data is collected through multiple tools. There is a lot of registration in the chain, but the security and knowledge around it is often not so good, so it is important to prevent data leaks”, Meryem continues. “Often these things are in the hands of external system administrators, but that is no excuse. Even if you outsource it, you have the responsibility to ensure that it is in order, and sometimes things such as removing backups for software vendors still require a lot of work.”
“Our clients also have difficulty with the legal aspects: a processor document is seen as a heavy legal document and you have to set it up carefully. That’s is why we always advise our clients to make clear requirements together, which both parties have to comply with. That is much better than agreeing nothing and ending up in a discussion who is guilty,” says Julien. He sees the AVG as a good step for privacy. “I am very positive about at least 80% of the legislation, it means that companies in the chain make good agreements about privacy issues and I also see commitment in the chain to tackle this properly. For example, applying for a visa for colleagues who go abroad and making a copy of the passport without permission from the staff member concerned. The AVG now produces documents where the concerned colleague can give his/her consent to use this information.”
“In addition, the AVG is not a set law and strongly depends on the specific characteristics of the organization. You cannot simply copy a template from another company, but the AVG forces you to look carefully at your own situation. In my view it is more an obligation to commit than a result obligation. By mapping your own data and privacy policy you can make a risk analysis that is relevant or not relevant to your organization. And the golden rule here is: just use your common sense! If you record the agreements and are transparent about it, which does requires a lot of work, then you’re already good on your way!”
More information
BDO will be happy to help you take steps to implement the AVG. Contact Julien Spronck (julien.spronck@bdo.nl) or Meryem Deniz (Meryem.Deniz@bdo.nl) for more information or drop by at our open consultation period.
We have an open consultation period on Wednesdays, from 9:00 o’clock to 12:30 o’clock at Plus Ultra and from 13:00 o’clock to 17:00 o’clock at StartHub. An appointment on any other day is possible as well. Just send an e-mail to rachel.dibbets@bdo.nl to make an appointment.
We look forward to meeting you at our office in Plus Ultra Wageningen or StartHub Wageningen.