5 years of GDPR: no more privacy panic (but we're not there yet)
25 May 2018 was an important deadline for many institutions. From then on, the General Data Protection Regulation (GDPR) was enforced. By now, the dust has settled. What has happened in the past five years and what challenges still await our industry?
At lightning speed
Although the Netherlands had the Personal Data Protection Act as a predecessor, the transition to the GDPR had a major impact. "Can group photos of students still be shared? And how do you communicate study results without violating a student's privacy?" SURF received many panicky questions.
Under time pressure for implementation, efforts to develop and fill the processing register, awareness meetings and training sessions were fast-tracked. In the initial period, processes such as reporting a data breach or conducting Data Protection Impact Assessment (DPIA) were not yet crystallised. The privacy officer and data protection officer (FG) were often called upon because employees did not yet know what a processor agreement was and when or by whom it should be drawn up and signed.
Being visible in the organisation is therefore important for privacy professionals: "The research projects that processed personal data came to me. That took a lot of time and energy, but if they were helped properly the first time, they could do it themselves later. It is important that you have a face as a privacy supporter and people know how to find you," says Joan Schrijvers, corporate privacy officer and lawyer at Wageningen University.
The main barriers
The legislation for privacy was not new: the old law had the same requirements, only it was less well known. Moreover, a number of educational institutions perceived the GDPR as a law designed to curb the big tech giants such as Facebook and Tiktok. Convincing the board of the importance of the regulation was therefore a difficult process at many institutions. At institutions where there was budget and capacity, privacy has become much more of a part of the organisation. By involving privacy in projects and processes from the beginning, you change the way staff, teachers and researchers think about data collection.
It is difficult to get a grip on digital data. Digitalisation is accelerating, so there are more and more personal data, data and systems. Moreover, there is more frequent use of suppliers, which in turn also use vendors. Thus, processing data is rapidly becoming complex and thus more difficult to describe and account for. And if you have no visibility into processes, systems and processing, it is impossible to be transparent about it.
Educational and research institutions originally have a culture in which researchers and lecturers experience great freedom to perform their profession. This academic freedom is a great thing, but it also means that employees are not used to describing processes from a compliance perspective.
The positioning and role of the privacy officer and FG is interpreted very differently. When the governance and positioning of privacy professionals is not in order, they cannot fulfil their role properly.
Proud of support for privacy
Much has been achieved in the past five years. Society, and thus also boards and employees of institutions, is now aware of the importance of privacy. Niels Huijbregts, FG at SURF: "Under the Wbp, privacy was an academic discussion topic for enthusiasts. Now it is a very important topic among large groups of people. You hear it come up in private conversations as well."
Eric van Hoof, privacy officer at Leiden University, is proud that his university has created awareness of the importance of privacy. "The processing register has been seriously addressed by releasing money for it. With us, the FG is really an independent position that can monitor and give advice."
"In the beginning, I put a lot of energy into things that should not lie with the privacy officer," adds René Zaal. He is data protection officer at Nova College. "Reviewing a processing agreement, preparing a processing register, an awareness campaign, handling data breaches all by yourself. Now these activities are part of the organisation: I take note of a data breach, check if action is taken, but other people follow the process we have set up."
Actually, as the education and research sector, we are very well equipped to do the right thing, thinks Artan Jacquet, former data protection officer at Utrecht University. "We know very well how to handle data in a general sense. We are very creative - that is core business for scientists. And we are socially oriented organisations that like to do things right. That includes protecting fundamental rights. Good handling of personal data fits into that."
Ownership and chores
So a lot is already going well, but there are also things that take more time than expected. "It seems we have a clearer ownership on fire extinguishers than on the data in our systems," says Nova College's René Zaal. "While the chances of being hacked are many times higher than a fire. Teachers and staff are less aware of their responsibility for the data they collect and process. The thinking is often: the system belongs to the IT department, so they own the data."
Esther van der Ent, corporate privacy officer at HAN, adds: "We have done so much in a short period of time. There is every chance and opportunity for this within this institution. People want to do it right and are willing to cooperate, but lack of knowledge of the subject sometimes leads to resistance and lack of understanding. This is at odds with each other and sometimes results in some discussion and wrong prioritisation."
The bureaucratic side of privacy runs slower, also notes Niels Huijbregts of SURF. "People dislike documenting and recording. It is by no means the most important part of the GDPR, but to be demonstrably in control you have to show where you have written something down. That takes a lot of effort and people perceive it as a chore."
So we are far from there yet. For instance, the search for good tooling for the processing register and handling GDPR requests is still on, says Bart van den Heuvel, CISO and former FG at Maastricht University. "But also 'privacy-by-design' is not yet well within our minds. For example, when switching to cloud services, this is still not put into practice enough."
Several institutions now have a small but powerful privacy team and a form of privacy network in the organisation with the help of data stewards or privacy coordinators. Yet lack of capacity is also cited as a stumbling block. There are institutions where only one person is responsible for all privacy tasks. Also, the positioning of the FG or privacy officer is not always clear, which creates unrealistic expectations.
Challenge for the next 5 years: making yourself redundant
The people we spoke to for this article want to achieve a higher level of maturity with their institution over the next five years. "But that means we have to formalise a lot and, above all, act on the established frameworks on privacy and information security," stresses Esther van der Ent of the HAN. "It is not a party of the central privacy department but something of the entire organisation. Privacy belongs to all of us! If we can achieve this, for me an important goal will have been achieved."
Wageningen University's Joan Schrijvers' wish? "To make myself redundant. Ideally, I want employees to immediately incorporate privacy as second nature. It's part of the deal, just like registering hours. So we continue to focus on tools and awareness."
"A good transfer to someone else, because I will retire in three years," is the goal of Wim Triepels, senior advisor on operations and FG at ROC Gilde. When the AVG was introduced, it was emphatically stated that the positions of FG and privacy officer were very much suited to experienced colleagues who knew the organisation's processes inside out. As a result, many privacy professionals will retire in the coming years. That knowledge needs to be secured so as not to lose the progress made in recent years.
Finally, what advice would you give to other institutions?
"People often find information security and privacy very difficult. Try to offer privacy in an approachable and solution-oriented way. A lot is still possible within the boundaries of the GDPR; it's a matter of explaining and talking about the possibilities. That way, you get a lot more understanding. "
Esther van der Ent, HAN
"More attention is needed for privacy awareness. Take artificial intelligence (AI) for example: a development with quite a few snags. Its use cannot be controlled. There is only one solution: provide comprehensive information on how AI works and what the risks are. Not just in the short term but precisely in the long term."
Eric van Hoof, Leiden University
"False oppositions are often painted; as if the privacy department is opposed to the researchers. But the key lies with managers who make choices - and give kudos when compliance is well organised. Discussions often take place ad hoc, in the midst of hectic activity. By talking to each other at calmer moments, we can take the sting out of it and build understanding."
Artan Jacquet, Utrecht University
"Get your privacy governance right: free up time, capacity and money to make people visible in the organisation. Intensify contact between privacy, security and data stewardship. If people understand what they need to do and why it is important, they will also start working in a more privacy-conscious way. And work with an annual privacy plan to show what you want to achieve. It creates team bonding and pride in the results achieved."
Joan Schrijvers, Wageningen University
"The processing register and all the other activities are important, but that is not the ultimate goal. Keep looking at the big picture: privacy is a prerequisite for an autonomous life. People have the right to live their lives without being influenced by invisible processes they cannot put their finger on. In the end, that's what we do it for."
Niels Huijbregts, SURF
"Meet up with other FGs and privacy officers, share experiences and learn from each other. Join a working group and take part in meetings organised by MBO digital, SURF or Kennisnet. You learn a lot there, inspire others and discover your own expertise. One result of this, for example, is the template for processing agreements, which puts you in a strong position as an institution rather than having to keep reinventing the wheel. It is the only way for a small institution to defend itself against large parties. Moreover, it is inspiring to show what your contribution was at your institution."
René Zaal, Novacollege