What is the expectation gap?
The European supervisors continue to issue guidelines in which the obligations under the European General Data Protection Regulation (GDPR) are explained in more detail, see: Guidelines, Recommendations, Best Practices. What is striking in the explanations of the supervisors are the far-reaching management and protection requirements.
In its Focus DPA 2020 – 2023, the Dutch Data Protection Authority emphasizes the supervision of the effective protection of personal data. We see a series of fines, in particular with government organizations, see fines and other sanctions. Incidentally, it is difficult to distil an unequivocal picture from the annual reports of the DPA on how organizations are organized for the effective protection of personal data.
When organizing the effective protection of trade secrets, the court expects an inventory of the trade secrets, an overview of the control measures and proof that the measures have worked effectively.
An expectation gap has arisen when companies and regulators have concretized the statutory GDPR requirements. This also applies to companies and judges when protecting trade secrets.
How can we help you?
Do you have questions about organizing, implementing or expanding your privacy implementation and maintenance? Our service owners would be happy to discuss your needs, case and/or problem.
Over time (for example after three to six years), an assessment of the organization set up for the effective protection of personal data is necessary.
It concerns the following test:
- Does the implementation meet the guidelines of the supervisors;
- Are the personal data actually effectively protected (and where does this show);
- What are the signals from your own organization and those from partners?
- Can the protection of personal data be extended to the protection of personal data and business secrets? and
- What are the value propositions, business plans and realistic action plans for realizing the changes.
We can see such an investigation as a privacy baseline measurement or DPIA. The relevant legislation and the guidelines of the European supervisors form the basis for the baselines. Moreover, it is expressly intended to draw up an accessible business case that not only shows the need for change, but also the value propositions for the company.
We always adapt the training for data protection officer and related training for new legislation and the interpretations of legislation by the regulators. We know the impact of new legislation and interpretations of regulators on the organization of business activities.
If a company sees the interpretations of the legal framework as a duty, we can imagine that “there’s no hope”. It is also possible to view the guidelines of the supervisors from the perspective of business operations. This broader perspective offers opportunities to effectively organize company and personal data, as well as trade secrets, while at the same time keeping liability and cost risks manageable.
The plan of approach for the implementation of the next phase, protecting company and personal data and trade secrets, is based on a business case.
Based on the organization of the business activities, the signals from employees to organize business processes more effectively and the assessment that employees are prepared to handle the business processes, we draw up an action plan. We discuss the action plan with clear milestones and products with the company management and department management. After an agreement, we implement the plan in collaboration with the employees.
The implementation can relate to various points of attention. In general we can mention:
- Overview and insight create responsibility domain of entities and partnerships;
- Using legal operations with partners (customers, employees and suppliers), in a systematic manner, agreeing coordination and processing agreements and setting up contract management;
- Based on the organization of business activities, inventory and record processing of personal data and trade secrets, document the control measures and collect evidence of effective operation;
- Record incidents as a result of the passing on of management and security measures and promote them, whether or not documented, to data leaks;
- Continuously raise awareness and train employees;
- Include control measures aimed at protecting personal data “by design” in the business processes with which the business activities are organised; and
- Targeted and insightful compilation of management reports.
The scope of the steps to be taken is to protect company and personal data and trade secrets. The protection of data is organized in a process and supported by IT resources.
The project leader invests the results of the implementation in the business organization. The department management and employees take over the management and take care of maintenance. The company management periodically enables management and employees to take note of new developments in the field of protecting personal data and trade secrets.
Assessing the organization of data protection every three years often leads to new insights. On the one hand, the observation of an expectation gap and on the other hand, the opportunities to organize business activities more effectively.