isn’t just a
It’s the law!’

Kees Droppert

GDPR makes it easier for consumers to stay in control of their data. This can only be a good thing, says BKR board member Kees Droppert. ‘Companies need to do their best to show what they are doing about privacy and data security all the time.’

This European regulation means that people and the companies using their data will be on a more even footing, according to Droppert: ‘This legislation allows citizens to keep ownership of their data more easily, deciding who can use that data, and when. In addition, they can ask companies to remove them from a data system, if they wish.’

Consumers only benefit from having more power. ‘Data aggregation has grown enormously, increasing the risk of theft and misuse,’ says Droppert. ‘GDPR provides much better consumer protection.’

Droppert works as a consultant and is a member of the supervisory board at the BKR credit registration agency. ‘The BKR helps to prevent lending fraud and ensure lenders offer people money in a responsible way,’ he explains. ‘By sharing information, financial service providers and credit registration agencies can help consumers manage and, if necessary, improve their credit worthiness. But these agencies must also be able to explain very clearly what they have done to protect this personal data. It’s a big job.’

Show what you are doing

After the enforcement of GDPR, organisations must be open and transparent about the way they deal with data. ‘For customers, employees, regulators, the controlling authority, you name it,’ says Droppert. ‘You have to demonstrate that you are complying with the spirit and the letter of this law. So, explain what you have done with customer or employee data, and why. You also have to be able to show which privacy issues you are still working on and what is not yet in place. Are you ever 100% safe? No, that’s almost impossible in practice. You can always have a data breach, whatever you do.’

Kees Droppert

(58) studied public administration at Leiden University. He has worked in management at companies including Transavia, Aegon and Crédit Agricole. Now he is a consultant and member of the supervisory board at the BKR credit registration agency.

Privacy by design

One of the principles of GDPR is ‘privacy by design’. This means you need to take privacy into account right at the start of designing an information system. You must think about data storage: what do you need, and what can you let go? You also need to build in a function to remove personal data easily later. One practical issue, says Droppert, is that companies rarely design an IT system from scratch, but usually build on what they have. ‘These really aren’t geared up for the requirements of GDPR, and it is expensive and tricky to alter them,’ he says. ‘In any case, you should ensure that you don’t process more personal data than strictly necessary.’

Fines are fine

Firms that fail to comply can get hefty fines. Will this help? ‘I think so,’ says Droppert. ‘Organisations need to realise that this is not a directive, but a law. It must and will be kept.’ Board members have a role to play, he adds: ‘They should ensure that directors can always explain what they have done to protect data and privacy.’