Why GDPR does not exclusively concern multinationals

Why GDPR does not exclusively concern multinationals

Currently, as everyone knows, the GDPR legislation will take effect from May 25 this year. From this date forward, the Dutch Data Protection Authority will enforce the law. The difficult part about this topic is that nobody knows exactly what this enforcement will mean for organizations. The expectation is that big multinationals like Facebook, Google and Microsoft will be examined first. Possible legal cases that follow from this will be widely propagated in the media to set an example for the rest.

But what about smaller companies? I see a three-way split when it comes to organizations how they interpreter the GDPR enforcement and how they deal with this:

  1. First, there are organizations that understand the seriousness of GDPR and do everything to become complaint before May 25 and work on their policy.
  2. Then, there is the group that understand the seriousness of GDPR, but deliberately chooses to act only when they are likely to be controlled in the future.
  3. Finally, there is a group that assumes that GDPR is far too inflated and hyped but think no enforcement will take place. From that reasoning they do not take any action.

So, what to do? Time will tell.

The Authority for Personal data is looking forward to it

Last year before the summer I attended at a big data event, and here was a lecture by a female speaker who was in Brussels herself and spoke personally with the main person responsible for the GDPR enforcement. Her message: they are looking forward to it. The Dutch Data Protection Authority (AP) intends to take a very active approach.

GDPR is already widely spread in the media. You can hardly listen to the radio in the car, without hearing a commercial in which you are referred to GDPR enforcement and your rights as a data subject. Much effort is put into communication campaigns to create awareness among people about their role in their online privacy.

Whistleblowing principle

This brings me to the point where GDPR is not only important for multinationals. No, the Dutch Data Protection Authority does not have the manpower, or any desire to check all organizations for GDPR compliancy. However, as an organization you can contact the Dutch Data Protection Authority if they receive (multiple) complaints about GDPR related issues.

The site of the Dutch Data Protection Authority has a very nice CTA in the header, 'contact us'. Officially organizations are obliged to report in your privacy statement that data subjects have the right to complain. Ideally you even refer to the site of the Dutch Data Protection Authority.

I have to say, I already prepared a list with companies where I would like to briefly ask which personal data they have stored. It is not in my nature to report these parties directly to the AP when I encounter strange things. But I am very curious as to how many people will appeal to their rights and submit complaints, because of the possibility to do so and a lot of attention is being paid to them.

Should I worry?

No, that's not necessary. Even if you get on the AP's radar and you get a check, the possibility of being fined immediately is very small. And it is not even clear if it even comes this far as said before. From my perspective, I recommend becoming GDPR compliant and to comply with the set requirements. In any case, I expect that GDPR will not only enter large companies. Better be safe than sorry! 

Like to know more?

Are there questions or problems your organization encounters about GDPR, or do you have a general question? Please let me know! I’ll gladly look it up for you and you might see the answer in one of my future blogs! You can also check our guidelines for GDPR, or read more about the origin of the GDPR legislation

Published on: February 22, 2018