GDPR, What's in it for you?

GDPR, What's in it for you?

GDPR, What's in it for you?


The GDPR is the single most important change in the data protection landscape since the 1995 Privacy Directive. It will have a profound impact on the way processing of personal data will be organized and how companies will prioritize the item of data processing on their corporate agenda. Companies involved in the processing of personal data having a connection with the EU will have no choice but to comply and respect the requirements.

Our Stibbe data protection team has been involved with privacy related matters for more than 20 years.

Over the last months, we have published a number of articles about the GDPR. We have combined our articles in one contribution.

In this contribution, and drawing upon our wide experience, we have sought to acquaint you with the key changes brought about by the new Regulation. Rather than seeking to paint an exhaustive picture of the new rules, we have taken a topical approach and have touched upon a series of carefully selected items which in our view are most representative for the changes brought about by the GDPR.

In addition, it should be underlined that the landscape of data protection is a very dynamic one and will always extend beyond a set of rules on a legal document, however impressive that document would be.

For example, the specific content and boundaries of the obligations and requirements will be further shaped by the guidance to be provided by the Article 29 Data Protection Working Party (“WP 29”). This platform, consisting of representatives of the various DPA’s has set forth a plan for the implementation of the GDPR, as part of which it will issue opinions on several priority subjects. Three sets of guidance have already been published, i.e. on data protection officers, on data portability and on the role of the lead supervisory authorities. Other topics that should be addressed in the near future relate to the notion of high risk, data protection impact assessment and certification. Going forward, the role of the WP 29 will be taken over by the EDPB (European Data Protection Board), who will continue to provide guidance and updates.

In addition, there is a broad call for standardization and for development of best practices across different industries. Various provisions of the GDPR reflect such a call and also the guidance provided by the WP 29 calls for standardization and industry best practices. This is for example the case for the new data portability right, the WP 29 advises data controllers to technically implement a standardized approach in relation to application programming interfaces.

Likewise, the DPA’s (Data Protection Authorities) will issue guidance and ensure compliance in a way that aligns the harmonized rules with other national laws, local customs, cultural expectations and sensitivities.

Finally, there is the role of the courts. While it is clear that national courts will have their role to play, it is hard to predict what their impact will be. It is fair to note that up and until now, the role of national courts in sharing data protection law has been limited. The same can obviously not be said about the ECJ (European Court of Justice), which appears to be on a mission to further shape and progress the data protection landscape, especially at times where other European institutions appeared to have difficulty to deliver on the subject. For example, in a series of unprecedented decisions, the ECJ has tackled very complex issues such as the right to be forgotten, the data retention issue, and the EU-US data transfers. At this very moment, applications for the rescission of the “Privacy Shield” have been introduced before the General Court.

All of the above mentioned factors will turn the data protection landscape into a very dynamic one. This means that companies, in seeking to comply with the GDPR, should ensure not only that they stay informed about the further developments and evolutions, but also that the processes, systems and tools they would select to secure compliance are sufficiently flexible so that they can be easily adjusted and refitted to embrace the new developments and evolutions. Our team will be on the look-out and we will report regularly on any important changes in the field.

And what is more, it is not just about complying with the GDPR as of 25 May 2018 and in a “forward looking mode”. The challenge posed is wider as companies today still suffer significant gaps in complying with the Data Protection Directive 95/46/EC and the implementing legislations. These gaps will first need to be filled in before thinking about the next steps to be undertaken for compliance with the GDPR. For example, companies will need to consider if the personal date which they have on record today has been collected and is being processed and retained in accordance with the currently applicable rules. If that is not the case, they may have a considerable historical compliance gap which will continue to undermine their state of compliance going further. It is very difficult to build in a sustainable way if the foundations are not sound.

Companies are well advised to duly consider the relevance of data protection and understand that compliance has become a “must have”. Compliance is in fact not just a matter of law, it is also a matter of ethics. They should be ready to commit to their new obligations, and free up budget and resources. To this end, it is important that they adopt a very structured approach, in view of the limited timing available, and of the fact that this is a broader challenge that crosses all business lines and segments of companies. In view of the foregoing, only a company-wide approach makes sense. Rather than seeing all of this as a nuisance, companies should also see the opportunity in all of this, namely that compliance with data protection rules can be a quality label and a competitive advantage.

For a deeper insight into what can be done in practice, and how Stibbe could guide you along this compliance road, please click here


Related news

03.07.2020 NL law
E-book NOW-2: Second Temporary Emergency Bridging Measure Work Retention

Articles - On 17 March 2020, the Dutch cabinet announced the first emergency package of support measures to alleviate the economic consequences of the corona crisis. This emergency package inter alia comprised the First Temporary Emergency Bridging Measure for the purpose of Work Retention (“NOW-1”) and the Temporary Bridging Measure for Self-Employed Persons (“Tozo-1”).

Read more

29.07.2020 NL law
Over temperaturen ten tijde van corona

Articles - Met haar standpunt ten aanzien van het meten van temperaturen van werknemers, geeft de Autoriteit Persoonsgegevens (AP) verduidelijking over de reikwijdte van haar toezicht. Deze nuancering houdt in dat, als er geen sprake is van verwerking van persoonsgegevens, de AVG niet geldt en de AP dus niet handhavend kan optreden.

Read more

03.07.2020 NL law
E-book NOW-2: Tweede tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid

Articles - Op 17 maart 2020 kondigde het kabinet het eerste noodpakket aan met steunmaatregelen om de economische gevolgen van de coronacrisis te dempen. Onderdeel van dit noodpakket zijn onder andere de Eerste tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (“NOW-1”) en de Tijdelijke overbruggingsregeling zelfstandige ondernemers (“Tozo-1”).

Read more