The Netherlands sets an example for how business can move forward despite GDPR challenges. Claudia De Meulemeester reports
The Netherlands has led the way in progressive legislation on a range of issues. When it comes to the implementation of GDPR (General Data Protection Regulation), which aims to transform and protect the use of personal data within the European Union, the Dutch seem once again a step ahead of their counterparts.
Set to be enforceable by 25 May 2018, companies that do not comply with GDPR can be fined up to €20m or 4% of their global turnover.
In the Netherlands a similar system had already been introduced since 1 January 2016, where companies that suffered from data leaks were forced by law to report those to the government or could be fined up to €820,000. But none of those fines have been publicly disclosed.
“The Dutch already implemented a lot of GDPR requirements earlier than the rest of Europe did,” says Darren Wray, author of books on data protection and CEO of tech firm Fifth Step. He also emphasised that most regulators in Europe are proposing a “soft landing”, meaning they will not fine companies if they can demonstrate they are taking the right steps under GDPR.
Sjaak Schouteren, manager cyber risk solutions at Aon in Rotterdam, agrees on that point. “The main risk of GDPR is not the fines, but the reputational damage companies could incur. Society as a whole will start worrying about how companies deal with personal information and how that is being used in terms of privacy.”
Awareness around cyber threats and data protection should presumably have increased among businesses in the past year, but many still seem unprepared to face the challenges.
When interviewing for this feature, StrategicRISK reached out to several risk managers at companies based in the Netherlands for a comment. There were some striking replies.
“I don’t even know what GDPR stands for, so I doubt I’m going to be able to help you,” said one risk manager at a sportswear retailer in the Netherlands.
“We don’t keep big client data documents, therefore this is more an IT or HR concern,” said a corporate insurance manager at a multinational infrastructure company.
The fear of high fines is clearly not persuading everyone to take action. James Walker, managing director of JAW Consulting UK, has seen the problem many times before. “GDPR is not an IT project but a business project. It is way bigger than companies might expect.”
On the same track is Leslie Clement, a consultant based in the Netherlands. “Businesses will need years to get used to GDPR, if they will ever get used to it. I think that on 25 May a lot of companies will still have to start the process,” he says.
On top of that, GDPR will also apply for small and medium enterprises as well as charities, most of which lack the means to invest heavily in cyber defences.
Right to be forgotten
One of the most discussed – and controversial – aspects of GDPR is the clause that allows consumers to get their data “erased” from a company’s data system, if the law and circumstances allow it. One of the constraints, for example, is that for tax purposes many countries oblige companies to store data of their consumers for several years and this would prevail on top of the “right to erasure”.
Doubts arise, however, whether someone’s data can effectively ever and fully be deleted from the data systems at hand. The process looks like a looming nightmare for archivists.
“All data systems that were ever created, were never created with the intent to delete information,” comments Clement. “The data is always somewhere to be found. Now it is expected that you are able to erase everything – absolutely everything – about a person. You might think you have done so and then you might not know whether this data is still available on a colleague’s USB or through an old back-up.”
Given the technical constraints it seems unlikely companies will ever be able to fully guarantee the data about an individual has been deleted completely. And to what extent should companies be blamed or punished for that?
However, consumers can feel somewhat protected by the terms of the “subject access request” option in GDPR. If a consumer is not sure how their data are being used, they can send a request to the relevant company. The company is legally obliged to reply within a month with all the copies of data they hold on them, and they can request to have that information deleted. They could then send a follow up request to check whether that information has indeed been erased or not.
To prepare for the new rules, businesses are increasingly looking for professionals with data backgrounds, according to a GDPR source who wants to stay anonymous. “There are way more jobs out there that have data protection aspects in their requirements than before,” says the source.
Adding to this, Darren Wray notes: “Europe has always led the way in data protection. No such thing exists in the US. At the moment, there is nothing in America that assures you ‘I have to keep your data safe by law’.”
Could Brexit change anything for the data of UK consumers in the future? Highly unlikely according to Wray. “You must be GDPR compliant irrespective of Brexit.”
Insurance against penalties for data breaches is one area in which the Dutch system has advanced beyond its European neighbours.
GDPR insurance is being offered as part of the general cyber insurance cover by many major players in the Netherlands, sources confirm. AIG, Chubb, Hiscox and Allianz are all including it within their cyber policies.
“GDPR might become another reason – a good reason- to buy cyber insurance,” stresses Wray.
But what does this mean, exactly? Can companies in the Netherlands buy insurance without having to prove they take GDPR seriously?
“A company based in the Netherlands does not have to give evidence they are actively implementing GDPR in order to buy insurance against it. There is a discussion going on whether this is morally responsible or not,” says Clement.
“As long as you can demonstrate your intentions are okay and you do not commit a mistake on purpose, you are technically insurable,” adds Sjaak Schouteren from Aon.
Of course, insurers might be reluctant to take on what they consider a bad risk, or to pay out in cases of bad practice. The system seems to be based on common sense, according to Wray: “Your insurance cover might not be valid if you haven’t taken appropriate steps. It is like taking out house insurance but not locking your doors or shutting your windows; it’s the same thing.”
So, which industries are more inclined to look for insurance for GDPR-related failures?
“The awareness of management boards is fundamental in this case, less so the actual industry arm”, argues Sjaak Schouteren. “Third party supply chain and administrative liability are decisive factors for companies to comply and consequently insure themselves against any form of cyber risk,” he continues.
You might expect companies that have suffered data leaks before to be first in line, but that is not necessarily the case.
“I think the Equifax case proves firms are not taking cyber insurance and data protection seriously enough,” stresses Wray, referring to a data breach which hit that firm in the summer of 2017. “Their main business is data-driven and due to the nature of consumer credit agencies you and I have no option whether or not our data is provided to companies like Equifax.”
The reputational damage organisations can incur should not be underestimated, urges Clement. “We are moving into data-driven business models. GDPR will become increasingly important under that umbrella,” he says.
Other European viewpoints
Insurance policies for GDPR penalties are up and running in the Netherlands, but what about other countries soon to be subject to the European legislation?
Public policy differs from country to country and so will GDPR interpretations. Discussions are underway for using similar insurance options within other EU nations, several sources confirm.
UK interpretation will likely be closely aligned with the Netherlands, according to StrategicRISK sources, and open to flexibility by commercial insurers, many of which are based in the London market. No clarity exists as to whether fines will be insurable, but rumours suggest GDPR insurance is already being sold to clients in the UK within broader cyber risk coverage.
Sources in France and Italy meanwhile are sceptical about GDPR penalty policies, now or in the future. Germany is thought to be considering the possibilities.
Clement concluded: “Even though the Netherlands could be considered as one of the frontrunners, the question remains whether they are doing it the right way.”
As with any newly introduced policy, it looks like a ticking time bomb in which the first victim of a penalty could set the standard for what is to come for the others. Who will have the honour?
By Claudia De Meulemeester