Article by FD about GDPR-compliance featuring CIO Platform Nederland finds national audience

In the article (in Dutch) ‘Meerderheid Nederlandse bedrijven voldoet na drie jaar nog niet aan privacywet', the FD pays attention to the problems users of digital products and services encounter in complying with the GDPR. It demonstrates the imbalance in of liability and responsibility between suppliers and users. CIO Platform Nederland therefore calls on the legislator to ensure that software suppliers are only allowed to supply their products to the EU market if they themselves comply with the AVG requirements. On behalf of CIO Platform Nederland, the FD interviewed Ronald Verbeek (director) and Arthur Govaert (chairman).

Amendments
CIO Platform Nederland agrees with the general scope of the article and is convinced that the article illustrates important injustices. However, the printed version of the article was not entirely in line with our input and vision. The FD saw no possibility to publish our requested amendments. Therefore, please find our response below:

Reaction CIOPN
CIO Platform Nederland agrees with the thrust of the FD article "Meerderheid Nederlandse bedrijven voldoet na drie jaar nog niet aan privacywet" (In Dutch) of April 6th. The responsibility for the security and compliance with EU legislation of software and cloud services must be more evenly distributed between user and provider. 
The article states that the CIO’s are making an admission, this is not the case. Research by the Dutch central government shows that frequently used products/services of Microsoft and Google are not AVG compliant in some respects. Our conclusion is that it is virtually impossible for users to comply with the AVG as long as the software and cloud services they use do not comply.

Further on, it is suggested that the actions of care workers of Radboudumc are followed by Microsoft. This is incorrect. Measures were taken before the software was put into use at the UMCs. This did require negotiating power on the part of the central government, which most companies do not have.

Key Issues
According to the CIO Platform Nederland the article, in combination with the amendments, addresses the following key issues:

• When a data leak occurs due to unsafe software, the software supplier should be held accountable for a substantially larger proportion than is currently the case, not the user.
• The European government should ensure that software entering the European market complies with European laws and standards.
• The lack of responsibility and accountability results in that, for example in the case of the General Data Protection Regulation, user organizations run the risks of i.a. fines, not the supplier of the software or Cloud service.    

Parliamentary questions and other media
In the days after the publication, the article generated a lot of attention. The story featured in different media such as BNR nieuwsradio and NPO Radio 1. Furthermore, member of parliament Kathmann (PvdA) submitted six parliamentary questions based on the article. These questions are largely in line with the points made by CIO Platform Nederland, with one important exception. The view attributed to CIO Platform Nederland and its director, namely 'that not the user of software, but the developer should be responsible for implementing AVG requirements' is not ours. As stated above, we believe that responsibility should be shared more fairly, whereby if the defect is in the software, then the developer of that software should be held responsible, not the user.

Lastly, in the near future we will try to give a good follow-up to the attention and results the article generated. We will continue to promote our collective views about GDPR compliance and the inequality in the software and Cloud market.

Read the follow up article on GDPR compliance challenges of April 18th in FD (in Dutch). European Data Protection Supervisor is  researching contracts with Microsoft regarding possible storage of personal data of European Commission staff in the US.

For questions and/or remarks send an email to info@cio-platform.nl.