GDPR, What's in it for you?

GDPR, What's in it for you?

GDPR, What's in it for you?


The GDPR is the single most important change in the data protection landscape since the 1995 Privacy Directive. It will have a profound impact on the way processing of personal data will be organized and how companies will prioritize the item of data processing on their corporate agenda. Companies involved in the processing of personal data having a connection with the EU will have no choice but to comply and respect the requirements.

Our Stibbe data protection team has been involved with privacy related matters for more than 20 years.

Over the last months, we have published a number of articles about the GDPR. We have combined our articles in one contribution.

In this contribution, and drawing upon our wide experience, we have sought to acquaint you with the key changes brought about by the new Regulation. Rather than seeking to paint an exhaustive picture of the new rules, we have taken a topical approach and have touched upon a series of carefully selected items which in our view are most representative for the changes brought about by the GDPR.

In addition, it should be underlined that the landscape of data protection is a very dynamic one and will always extend beyond a set of rules on a legal document, however impressive that document would be.

For example, the specific content and boundaries of the obligations and requirements will be further shaped by the guidance to be provided by the Article 29 Data Protection Working Party (“WP 29”). This platform, consisting of representatives of the various DPA’s has set forth a plan for the implementation of the GDPR, as part of which it will issue opinions on several priority subjects. Three sets of guidance have already been published, i.e. on data protection officers, on data portability and on the role of the lead supervisory authorities. Other topics that should be addressed in the near future relate to the notion of high risk, data protection impact assessment and certification. Going forward, the role of the WP 29 will be taken over by the EDPB (European Data Protection Board), who will continue to provide guidance and updates.

In addition, there is a broad call for standardization and for development of best practices across different industries. Various provisions of the GDPR reflect such a call and also the guidance provided by the WP 29 calls for standardization and industry best practices. This is for example the case for the new data portability right, the WP 29 advises data controllers to technically implement a standardized approach in relation to application programming interfaces.

Likewise, the DPA’s (Data Protection Authorities) will issue guidance and ensure compliance in a way that aligns the harmonized rules with other national laws, local customs, cultural expectations and sensitivities.

Finally, there is the role of the courts. While it is clear that national courts will have their role to play, it is hard to predict what their impact will be. It is fair to note that up and until now, the role of national courts in sharing data protection law has been limited. The same can obviously not be said about the ECJ (European Court of Justice), which appears to be on a mission to further shape and progress the data protection landscape, especially at times where other European institutions appeared to have difficulty to deliver on the subject. For example, in a series of unprecedented decisions, the ECJ has tackled very complex issues such as the right to be forgotten, the data retention issue, and the EU-US data transfers. At this very moment, applications for the rescission of the “Privacy Shield” have been introduced before the General Court.

All of the above mentioned factors will turn the data protection landscape into a very dynamic one. This means that companies, in seeking to comply with the GDPR, should ensure not only that they stay informed about the further developments and evolutions, but also that the processes, systems and tools they would select to secure compliance are sufficiently flexible so that they can be easily adjusted and refitted to embrace the new developments and evolutions. Our team will be on the look-out and we will report regularly on any important changes in the field.

And what is more, it is not just about complying with the GDPR as of 25 May 2018 and in a “forward looking mode”. The challenge posed is wider as companies today still suffer significant gaps in complying with the Data Protection Directive 95/46/EC and the implementing legislations. These gaps will first need to be filled in before thinking about the next steps to be undertaken for compliance with the GDPR. For example, companies will need to consider if the personal date which they have on record today has been collected and is being processed and retained in accordance with the currently applicable rules. If that is not the case, they may have a considerable historical compliance gap which will continue to undermine their state of compliance going further. It is very difficult to build in a sustainable way if the foundations are not sound.

Companies are well advised to duly consider the relevance of data protection and understand that compliance has become a “must have”. Compliance is in fact not just a matter of law, it is also a matter of ethics. They should be ready to commit to their new obligations, and free up budget and resources. To this end, it is important that they adopt a very structured approach, in view of the limited timing available, and of the fact that this is a broader challenge that crosses all business lines and segments of companies. In view of the foregoing, only a company-wide approach makes sense. Rather than seeing all of this as a nuisance, companies should also see the opportunity in all of this, namely that compliance with data protection rules can be a quality label and a competitive advantage.

For a deeper insight into what can be done in practice, and how Stibbe could guide you along this compliance road, please click here


Related news

10.10.2018 NL law
Ongevraagd advies Raad van State: normering van geautomatiseerde overheidsbesluitvorming

Short Reads - Op 31 augustus 2018 heeft de Afdeling advisering van de Raad van State (hierna: "Afdeling advisering") een 'Ongevraagd advies over de effecten van de digitalisering voor de rechtsstatelijke verhoudingen' betreffende de positie en de bescherming van de burger tegen een "iOverheid" uitgebracht. Het gebeurt niet vaak dat de Afdeling advisering zo een ongevraagd advies uitbrengt. Dit onderstreept het belang van de voortdurend in ontwikkeling zijnde technologie en digitalisering in relatie tot de verhouding tussen de overheid en de maatschappij.

Read more

12.10.2018 NL law
Tim Berners-Lee's Solid proposal: the future of data traffic?

Short Reads - The General Data Protection Regulation (GDPR) aims to strengthen the rights of individuals in respect of their personal data. Although this aim has been achieved to a certain extent, the fundamental framework of the way personal data is processed remains unchanged. Companies are still able to use large amounts of user data, in many cases without even obtaining their consent. Tim Berners-Lee, the inventor of the World Wide Web, has announced his plans for a decentralised web, in which users remain in control of their personal data.

Read more

ECJ: Facebook fan page administrator is a joint data controller

Short Reads - On 5 June 2018, the European Court of Justice ("ECJ") decided on several preliminary questions that were raised in an administrative proceeding between the German Data Protection Authority ("GDPA") and Wirtschaftsakademie Schleswig-Holstein GmbH ("Wirtschaftsakademie"), a German educational services provider that offers its services through a Facebook fan page. In its decision, the ECJ held, among other things, that Wirtschaftsakademie qualifies as a data controller ex Article 2 under d Directive 95/46/EC[1] ("Privacy Directive").

Read more

12.10.2018 BE law
Ignace Vernimme and Michiel Van Roey speak on IP rightsduring Agoria's Research & Standardization Event

Speaking slot - On Thursday 25 October, Agoria's Regulatory and Standardization Expertise Center organizes its 5th information day about regulations and standards for topics including international trade, privacy and contract law, transport, Internet of Things and blockchain, eHealth, ... at regional, national and European level.

Read more

07.08.2018 NL law
General Data Protection Regulation comes into effect

Short Reads - On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) came into effect. The GDPR replaces the EU's prior directive governing the processing and transfer of personal data, which was in place since 1995. As a regulation, the GDPR is directly applicable in all 28 EU member states and thus removes the need for national implementing legislation. However, the GDPR allows member states discretion in certain areas, as a result of which national legislation may still be implemented. In the Netherlands, the GDPR Implementation Act came into effect on 25 May 2018.

Read more

Our website uses cookies: third party analytics cookies to best adapt our website to your needs & cookies to enable social media functionalities. For more information on the use of cookies, please check our Privacy and Cookie Policy. Please note that you can change your cookie opt-ins at any time via your browser settings.

Privacy – en cookieverklaring