Due to the increasing media attention for data leaks and internet fraud, people realize more than ever where their data is stored. The safety of IT systems is also in the spotlights. In the Netherlands, the privacy rules are laid down in the “Algemene Verordening Gegevensbescherming” (AVG). This European law (originally the General Data Protection Regulation (GDPR)) will be formally effective as of May 25, 2018. Julien Spronck, senior manager cybersecurity, and Meryem Sabotic-Deniz, senior Manager Audit & Assurance of BDO, advise companies (lots of them being agri and food companies) how they can prepare themselves. “Companies didn’t focus on implementing the privacy legislation internally and now there is a lot of catching up to do. That demands action!”
With four weeks to go before the AVG, the advisers notice, some companies are getting nervous. “Companies now know that the AVG is coming, that the rules are fairly strict and that there will be no extension after 25 May,” Meryem says. “The situation can vary a lot per company and the terminology is difficult to understand for many companies. We get a lot of questions about how we can make this regulation practical, so that companies can apply it. That is why we have made a six-step plan to get started. Questions that come up for discussion are: What sensitive information do you have as a company? What are your risks for the organization, etc. ”
“Management boards are sometimes inclined to delegate matters such as the AVG to the accountant, for example, but that is not the intention and not according to the law,” Meryem warns. “Of course, a director or chairman of the board of directors does not have to find out everything himself. However, he or she ultimately bears the responsibility. There is a management liability attached to the AVG for a good reason.”
Data quality is an issue
In the agri and food sector the data quality in particular is a hot issue. “Because of the tight margins, companies want to realize chain optimization, for which a lot of data is collected through multiple tools. There is a lot of registration in the chain, but the security and knowledge around it is often not so good, so it is important to prevent data leaks”, Meryem continues. “Often these things are in the hands of external system administrators, but that is no excuse. Even if you outsource it, you have the responsibility to ensure that it is in order, and sometimes things such as removing backups for software vendors still require a lot of work.”
“Our clients also have difficulty with the legal aspects: a processor document is seen as a heavy legal document and you have to set it up carefully. That’s is why we always advise our clients to make clear requirements together, which both parties have to comply with. That is much better than agreeing nothing and ending up in a discussion who is guilty,” says Julien. He sees the AVG as a good step for privacy. “I am very positive about at least 80% of the legislation, it means that companies in the chain make good agreements about privacy issues and I also see commitment in the chain to tackle this properly. For example, applying for a visa for colleagues who go abroad and making a copy of the passport without permission from the staff member concerned. The AVG now produces documents where the concerned colleague can give his/her consent to use this information.”
BDO will be happy to help you take steps to implement the AVG. Contact Julien Spronck (firstname.lastname@example.org) or Meryem Deniz (Meryem.Deniz@bdo.nl) for more information or drop by at our open consultation period.
We have an open consultation period on Wednesdays, from 9:00 o’clock to 12:30 o’clock at Plus Ultra and from 13:00 o’clock to 17:00 o’clock at StartHub. An appointment on any other day is possible as well. Just send an e-mail to email@example.com to make an appointment.
We look forward to meeting you at our office in Plus Ultra Wageningen or StartHub Wageningen.