Jacques Mattheij is probably best known for being the operator of ww.com, the pioneering streaming webcam technology, which he sold in 2015. These days Jacques consults several renowned Venture Capital firms in Europe on technical due diligence. On his blog, Jacques is very vocal about the needless scaremongering about the General Data Protection Regulation (GDPR), the new privacy law.

Jacques for one, is glad the EU Commission replaced the DPD, the European Data Privacy Directive, with an actual regulation, fines and all.

The data protection authorities in the Netherlands (Autoriteit Persoonsgegevens) don't seem to be in a particular hurry to audit businesses. Why is that?

Properly researching claims takes time, besides that the goal is not to fine or audit businesses but to help them to become compliant. I would expect those companies that come up frequently to get the bulk of the attention. For most - if not all - minor players this means that they will likely end up on the bottom of the stack, assuming they will end up in the stack in the first place. But a large number of complaints with genuine and grave issues would most likely result in an audit. The fact that we haven't seen any of these is yet more proof that the Dutch AP is understaffed, not that there are no compliance issues.

In 'GDPR Hysteria' you echoed the concern of people saying ‘Becoming compliant with this law will cause my
business to go under’. Have you actually heard this complaint
first-hand?

I've seen lots of people making claims like that in online forums but I have not seen any business that actually went under or that was inconvenienced any more than they would be because of other obligations that businesses have (record keeping, taxes, administrative and HR burdens and so on). For established businesses the cost is a bit higher than for newcomers. The only companies for which the costs were very high were for the big operators, banks, insurance companies, telcos and governments, and in those cases nobody came close to claiming they would go under, though there was some grumbling.

If Twitter can get it right on the first try I see no reason why other companies can't. It's not rocket science.
— Jacques Mattheij

Are there any cases you can rehash of companies throwing the towel in the ring because of the GDPR?

Yes, I've seen a few - very small - companies doing this but in those cases I am pretty sure that it was just a pretext.

For instance streetlend.com, cointouch.com and drone.io claimed they were shutting down because of the GDPR. But actually they are shutting down because bad management, none of these companies / entities are non-viable under the GDPR.

We all have heard of companies shutting down their European business or restricting European visitors from visiting their publications (Los Angeles Times, Chicago Tribune, Instapaper, …). What is your opinion about this?

It's the easy way out. It still doesn't get them off the hook for data collected in the past though, and they are now more or less automatically in violation of the law because there is no way to request review, updating or deletion of your data.

Do you think they will change their minds?

Well, if they don't then someone will come along that eats their lunch.

If the likes of Twitter can get it 'just right' on the first try I see no reason why other companies can't. It's not rocket science.

Screen-Shot-2018-07-25-at-14.54.09

Why do they use the words ‘European citizen’ as if it’s
interchangeable with ‘data subject’?

I think that's a good faith mistake but it underlines nicely how little time they took to prepare or to understand the subject matter as well as the intent of the law. Knee-jerk responses are so much easier.

Could you elaborate on what you expect from the new cookie law?

Not much, actually. The whole thing revolves around enforcement and until the authorities ramp up the ability of the data privacy watchdogs to do their jobs this will forever be a half-hearted exercise.

Thank you for your blog warning for trolls' DSARs. Were you expecting this type of 'just because we can' actions?

Yes, something similar has happened in the past with WOB and other laws that allow trolling. The 'nightmare GDPR letter' was written by a well-meaning lawyer who probably did not realize that he was essentially giving trolls a 'to-do' list to extract maximum suffering under the new law. Fortunately the privacy watchdogs know how to tell a troll from an actual concerned data subject whose rights have been violated.

This besides the fact that the whole thing reeks from being written from the point of view of an individual that doesn't even know for sure whether or not they have a relationship with the addressee, which should be a pretty low bar to cross. There is no identifying information included other than the name of the individual, no account numbers or account IDs, email addresses or other non-ambiguous identifiers.

Now that the deadline has passed, how many companies in your opinion are inclined to stay compliant and to regularly audit themselves?

Big companies, fintech, healthcare, insurance and larger e-commerce entities seem to have taken the new law to heart and in general are doing what they can to make it work. SME's is where the problems are but they are in general too small to make work of until there is an actual problem and by then it is too late.

I did notice a substantial drop in UCE, which started a few weeks before the GDPR became enforceable and which is continuing today.

Will (high profile) warnings and fines trigger waves of self-auditing?

We will have to wait for a number of those fines.

Once Facebook or some other large entity gets slammed with a major fine because of breaking the law there is a good chance that others will take notice and will start to behave accordingly. The pattern I expect is that if and when an industry giant is targeted that that particular industry or branch of technology would see an uptick in compliance efforts.

You do technical due diligence for venture capital firms. Is GDPR compliance something you probe for?

We have ~20 of the foremost Western European VCs as our customers as well as several outside of Europe. In one case in the last year an investment in a company did not go through because of serious violations of the privacy of data-subjects.

Not being compliant and being cavalier with data that isn't yours can have serious consequences for your company, even if all it means is that a funding round does not happen.

Let us know in the comments below who you'd like to see interviewed next, and what questions you'd like to see answered!