What is the expectation gap?

Lawmakers have discovered the beauty of the European General Data Protection Regulation (GDPR). In general, personal data is reliable, confidential and available to a person of concern. If the individual determines that the quality of personal data is inadequate then the GDPR gives the individual a range of tools to hold the controller; the company or institutions, accountable. In parallel, the law requires the data controller to be compliant with legal and contractual obligations so that personal data is demonstrably effectively protected. This legislative complex applies to many laws and regulations; for example, for the application of artificial intelligence, the AI Act. As a result, the GDPR is being used by more and more other legislation to give rights to individuals; data subjects and impose obligations on data controllers; companies and institutions.

European regulators explain legislation in guidelines, see: Guidelines, Recommendations, Best Practices and national supplementary rules. It is notable that regulators are stretching the obligations on data controllers by requiring, for example, effective operation of management, security and compliance measures in place. Companies and institutions can only meet these requirements if they build into their processes (by which business activities are organized) the management, security and compliance measures “by design” creating a situation that business operations are “by default” compliant with legal and contractual data protection obligations; thus effectively protecting personal data.

In its Focus DPA 2020 – 2023, the Dutch Data Protection Authority emphasizes the supervision of the effective protection of personal data. We see a series of fines, especially at government organizations, see fines and other sanctions. From the annual reports of the Dutch Data Protection Authority, it is difficult to distill a clear picture of the status of companies in how they are organized to effectively protect personal data.

When organizing the effective protection of trade secrets, the court expects an inventory of the trade secrets, an overview of the control measures and proof that the measures have worked effectively. The AI Act assumes that a company handles personal data responsibly, does not harm an individual’s interests and is accountable for applying artificial intelligence fairly.

For many organizations, expectations regarding effective protection of (personal) data from legislators, regulators and individuals are higher than the management, security and compliance measures actually in place in (primary) processes. Without the necessary privacy implementation and management that follows expectations, the gap will continue to widen.

Implementation

Based on the organization of the business activities, the signals from employees to organize business processes more effectively and the assessment that employees are prepared to handle the business processes, we draw up an action plan. We discuss the action plan with clear milestones and products with the company management and department management. After an agreement, we implement the plan in collaboration with the employees.

The implementation can relate to various points of attention. In general we can mention:

• Overview and insight create responsibility domain of entities and partnerships;
• Using legal operations with partners (customers, employees and suppliers), in a systematic manner, agreeing coordination and processing agreements and setting up contract management;
• Based on the organization of business activities, inventory and record processing of personal data and trade secrets, document the control measures and collect evidence of effective operation;

• Record incidents resulting from the passing on of management and security measures and promote them to data leaks, documented or otherwise;
• Continuously make employees aware and train them;
• Include control measures aimed at protecting personal data “by design” in the business processes with which the business activities are organised; and
• Targeted and insightful compilation of management reports.

The scope of the steps to be taken is to protect company and personal data and trade secrets. The protection of data is organized in a process and supported by IT resources.

Maintenance

The project leader invests the results of the implementation in the business organization. The department management and employees take over the management and take care of maintenance. The company management periodically enables management and employees to take note of new developments in the field of protecting personal data and trade secrets.