In seven months, Europe’s data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased. Simply put, the old regime was no longer fit for purpose and cyber security has become an increasingly important issue for the organisations across the EU. In order to protect the rights of individuals in respect of their personal data, a new regulation will replace the Data Protection Directive 95/46/EC: the GDPR. The regulation is not only designed to protect and empower all EU citizens data privacy, but also to harmonize data privacy laws across Europe, and to reshape the way organizations across the region approach data privacy.
Although the GDPR will be directly applicable in all Member States, national laws will need to be amended in order to regulate certain aspects of the GDPR. The regulation includes many open concepts and norms that need to be shaped and sharpened in practice. In the Netherlands, necessary legislative changes have already been published in the first draft national laws. If the Dutch Parliament and thereafter the Dutch Senate vote to adopt it, the Implementation Act will come into force. Currently, it is unclear when and in what form the bill will be formally adopted, because it has not been sent to the parliament yet. We will need to be patient, only time will tell.
The enforcement of the GDPR entails advantages, as well as disadvantages. The biggest advantage is the potential harmonisation of fragmented regulations. Up to now, businesses had to take account of regulations on data protection of 28 different member states. Despite several advantages, the GDPR has been criticised as well. The GDPR contains provisions which leave room for multiple interpretations. A different approach by member states, motivated by culture and supervisor’s priorities, is not unthinkable. As a result, the extent to which the GDPR will achieve its harmonisation scheme is uncertain.
There are some differences between the General Data Protection Regulation and the Dutch Data Protection Act. The most important differences are mentioned in chapter four of this white paper. By 25 May 2018, the DDPA will entirely or to a great extent be repealed by the Dutch Legislator. The new regulation will have important consequences not only for natural persons but also for businesses. Therefore, it is important for Dutch businesses to be aware of these differences and consequences. Being aware of the fact that the law is changing, is the first step in moving towards compliance.
‘How do I become compliant?’, is the question many entrepreneurs ask themselves. The importance of compliance with the GDPR is clear. The maximum fine for failing to comply with the regulation is four percent of the previous year’s annual global turnover, or 20 million euros, whichever is higher. Businesses have to plan an approach, but often they do not know what steps they need to take. For that reason, this white paper contains practical steps to help your business prepare for GDPR compliance. When it comes to preparation, the saying ‘well begun is half done’ is definitely suitable.
If you have questions or comments after reading this article, please feel free to contact mr. Maxim Hodak, attorney-at-law at Law & More via firstname.lastname@example.org or mr. Tom Meevis, attorney-at-law at Law & More via email@example.com or call +31 (0)40-369 06 80.
 M. Burgess, GDPR will change data protection, Wired 2017.