General Data Protection Regulation (GDPR) – It is now a reality

As of 25th May GDPR is now a reality. Acubiz looks back at two years of getting ready for this day. The law firm Horten has played an important role as adviser for the preparation of Acubiz’ data processing agreements – a process, which Acubiz’ CEO & Founder Lars de Nully initiated early on.

Partner of Horten law firm, Mads Nygaard Madsen tells that “The approach Lars de Nully has had to the GDPR is highly ideal – to see it as an opportunity rather than a burden.” Already two years ago, the two of them began outlining Acubiz’ data processing agreement, which was early compared to other organisations.

Affecting many areas

“Here at Horten we have tried to start early as well, to create a strong personal data team that can advise our clients about the regulation. The team is among others represented by employees with different competencies within fields of IT law, employment law and laws of marketing. The General Data Protection Regulation affects so many areas, so you need to have certain knowledge – especially as a law firm”, Mads Nygaard Madsen says.

Ups and downs along the way

“The process has not been willingly driven,” Lars de Nully tells, “but when I found out that it was inevitable to prepare Acubiz for the new regulation, I decided to get to work and thought that it must be a competitive advantage to be at the forefront of this process. From a managerial perspective, there have been ups and downs along the way in relation to the experience of the value of all the resources we had to invest in the project. But now, when Acubiz is completely ready, and has been since January and has data-processing agreements with almost all customers – it is very sufficient, “says Lars de Nully.

One standard agreement is not enough

Unfortunately, it is not enough with just one standard data processing agreement – the content of the contract, the negotiations and adjustments varies from customer to customer Mads Nygaard Madsen says:

“On behalf of Acubiz we have now prepared two standard contracts – one for private companies and one for municipalities, which is based on the prepared standard for municipalities. At times we must, together with Acubiz, negotiate with customers and their lawyers if they request other conditions that go beyond the terms of the standard contracts and conditions that are not necessary in order to comply with the General Data Protection Regulation.”

Countries interpret GDPR differently

The international customers do not make it easier, as it has been found that individual EU countries interpret GDPR differently,”, says Vivi Sejrsen, Acubiz GDPR responsible:

“We are currently negotiating with one of our customers, headquartered in Sweden, and we have experienced that the interpretation of the General Data Protection Regulation set is different, as the interpretations of the Danish and Swedish Data Protection Agencies are not quite the same. It generates some specific challenges. Therefore, it is of great interest that we comply with the initiatives of the Nordic Data Protection Agencies to make a common standard,” Vivi Sejrsen explains.

Lars de Nully: “Working on the data processing agreements is an ongoing project – there will always be a need for adjustments and a need for resources working on these adjustments,” he concludes.