In the Bedrijfsjuristen Monitor 2017, the subject of privacy emerged as the main topic keeping lawyers awake at night. On 25 May 2018, the General Data Protection Regulation (GDPR) will enter into force. Under this regulation, substantial penalties amounting to 4% of a company’s annual worldwide turnover can be imposed. The stricter obligations for the use of personal data, requirements for protecting personal data and the need to report a serious data breach promptly demand greater involvement on the part of directors and General Counsel.
Thomas de Weerd in conversation with Houthoff Alumnus Wiebe de Haan
Since January 2018, Wiebe has been General Counsel, Compliance Officer & Data Protection Officer at MediaMarkt Nederland
Thomas is a partner at Houthoff, specialising in IT, privacy, outsourcing and intellectual property.
Wiebe: “Privacy is a very important subject for us. For me as a lawyer, the relationship with the press and the wider public is just as important as the relationship with the regulator.
It’s a subject you have to manage properly, but also and above all explain clearly. My team works closely with the Communication department, and I regularly drop in at the IT department which is only 10 metres from my office.”
Thomas:“Privacy and information security are hot topics for all our clients, but for B-to-C businesses, incidents involving the security of personal data can potentially be a serious reputational risk. Such an incident can harm consumer confidence. Apart from complying with the new regulations and avoiding penalties, these businesses have a considerable commercial interest in these issues.”
Wiebe: “There is a group of consumers who react strongly to what appears in the media on this subject. I could give as an example the right to be forgotten. For us, that means that we have to give our clients the option of having their details deleted. Clients ask questions about it and social media reinforces that effect, of course. We are fully aware that we must respond to all our clients’ questions quickly and properly, because otherwise we risk discussions arising on Twitter or Facebook. So the commercial departments do see the importance of privacy. Our Net Promotor Score (customer satisfaction score) also depends on how good we are on this point.”
Thomas: “Some organisations are not so obviously involved with consumers, who impose ever higher demands on transparency and integrity, but every organisation will be affected in one way or another by the GDPR. Sometimes, it’s more likely to concern information about employees than about consumers. In all cases, we need to have a clear idea of what personal data is collected by a company and the purposes for which this data is collected.”
Wiebe: “MediaMarkt is active in 14 countries, with around 1,000 stores in total. Much of our local data is processed via the centralised IT infrastructure that is managed from the head office in Ingolstadt. For this reason, overall responsibility for privacy at our head office is brought under a project group with twelve lawyers and a large number of IT specialists. But there’s still plenty to do within the Netherlands. My team has been joined by a Data Protection Officer who supervises the application of and compliance with the privacy rules within MediaMarkt Nederland.”
Thomas: “The GDPR means that all the rules and regulations are treated equally at a European level and the same privacy rules apply to all EU member states. Although our current privacy rules are also based on European regulations, there were some differences between EU member states, but these will now become smaller.
From a Dutch perspective, the implementation of privacy legislation brings with it both benefits and burdens for an international head office. We see a huge variation among our international clients in how responsibilities are delegated between a centralised and local organisation. At any rate, an international head office demands a much more coordinated approach, and that’s something you need to bear in mind when setting up a project.”
Wiebe: “Our total annual turnover is some 22 billion euros and we employ around 65,000 people worldwide. In many countries we are the market leader in consumer electronics. This means that we can’t restructure our system just like that. We work step by step on upgrading our IT, but initially we adapt our existing systems to comply with the stricter requirements.”
Thomas: “Almost all our clients work with a large number of existing applications which need to be adapted in some areas to make them GDPR-compliant. The installed base makes it complex, especially because clients are often dependent on external software suppliers. For new projects we are seeing the Privacy by Design concept gradually being adopted, because data gathering and processing is already taken into account when designing new applications.”
In the article ‘Privacy by Design: u kunt er niet omheen’ for Computablem, Jan Brölmann (Senior Associate, Houthoff) and Jurre Reus (Associate, Houthoff) discuss one novelty of the GDPR: the requirement for a controller to implement technical and organisational measures tot ensure compliance with data protection by design and default, or privacy by design. You can read the article here (in Dutch only).
Wiebe: “I am thankful that our IT department does that. As I’ve already said, they’re not far away. But it is important as a lawyer to have a good understanding of the business. I have to know what business processes use what data.”
Thomas: “In the Bedrijfsjuristen Monitor it was a mixed picture. 20% of company lawyers feel they ought to know more about IT. The others say they count on their IT colleagues.”
Wiebe: “I really enjoy my job with MediaMarkt. I made the move in April 2017 after more than ten years with Houthoff. Initially I worked in a purely commercial role as Head of Financial Services. In January 2018, the Board asked me to take on the role of General Counsel, as several developments have meant that the legal aspect is becoming more important. First, MediaMarkt is developing. We are no longer an ordinary retailer but offer all kinds of services now, both in the form of additional services and in the financial sphere. We are doing very well with our MediaMarkt Club which now has around 1.8 million members. Second, our market is changing. New competitors with new business models are coming on the scene, like Amazon and Coolblue. That also demands my attention as a lawyer. Third, our legal environmental is becoming ever more complex. The GDPR is a good example of that.”
Wiebe: “I don’t know whether the same is true of all law firms, but what always appealed to me most at Houthoff was the speed with which we could respond to new developments. I worked for Berry van Wijk and wanted to do more in the automotive sector in the area of financial services. One conversation with Berry and Walter van Overbeek and it was arranged. Here too in my new role I feel I am an entrepreneur, but it’s an environment where so many things need to be managed and coordinated. We have 49 branches and an online shop which demand my attention, as well as departments such as Finance, Purchasing, Security, IT and so on. In my present role I get twice as many emails as I did as a lawyer. It means that I can only deal with the contents more superficially. I rarely get the chance to work on a legal matter for a few hours without interruption.”