Idealism and compliance

Why does someone choose to be a data protection officer? That's a good question, says Winkens. "In our network, I see a great variety of DPOs. Lots of lawyers, but also philosophers, people who have information security as the main profession on their CV, some auditors... You really don't need to be a lawyer to understand the GDPR. You only learn the profession by doing it. Also because you have to get to know your organisation well."

A bit of legal interpretation

The working days of a DPO are quite varied, Winkens thinks. "There can always be incidents with personal data – colloquially, data leaks. Then I have to give quick advice, for example, whether we should report it to the Autoriteit Persoonsgegevens, the national data protection authority."

"However, most of the work can be planned well. For instance, interviews with organisational units, when we look at where progress is being made, or should be made. I also provide a bit of interpretation, legally from the point of view of the law or in terms of governance."

"And finally, I have days where I just sit and read and write. That depends on the time of year. At the moment, for example, I am completing my annual report."

Lonely work

Winkens has a lot of autonomy in his work. This applies to many positions in the university, but most so for DPOs: they are not to be instructed by their employer.

Doesn't that make the work lonely? "Sometimes it does, yes. True, I talk to many people, and I also feel that I share a common goal with them, which is to ensure that student and staff data are processed correctly. But still... It's about compliance. So people often experience it as bureaucracy, as a nuisance. Not so much the DPO as a person, but what he does."

At such times, Winkens benefits from good ties with colleagues elsewhere in the country. "They also experience that this separate position sometimes makes it a bit more complicated and lonely.”

Stick or carrot

Breaking through that reluctance will not always be easy. So, what works better, the stick or the carrot? "Of course, as a DPO you can mention that the Autoriteit Persoonsgegevens might drop by or that people can start legal proceedings. But I don't think that stick is very motivating. I think it's better to make clear what the consequences could be for students and staff if their data is misused. By just following the law, you really create a lot more security."

"In principle, people do realise that. No manager or director will say that compliance is unimportant. But that doesn't mean they are going to put a lot of energy into it. That's why I think a good DPO should be a good salesperson too."

Does it help if there's another cybercrisis? "Never waste a good crisis! It certainly offers opportunities to raise awareness, because on the one hand, security is also a requirement of the GDPR, and on the other hand, data that is not in a certain place cannot be stolen. But it is not inconceivable that more attention will shift to security and less to data protection." 

AI regulation: real fodder for lawyers

The GDPR is already seven years old, and the principles behind it have been around for decades, according to Winkens. ‘However, there is increasing debate about whether those principles are still effective within the new data infrastructures, with the huge amounts of data and processing capabilities that are now available.’

Here, Winkens is thinking primarily of AI. There is now a European regulation to guide its use. Winkens: "If you think the GDPR is complicated, then you'll find the AI regulation quite a hassle. Real fodder for lawyers. But as a DPO, you need to keep abreast of relevant legislation. That too is a requirement of the GDPR."

He himself is now completely up-to-date, thanks to a course by the European Center on Privacy and Cybersecurity, part of the Maastricht law school. ‘I know it may sound a bit biased because I feel connected to the university, but I can recommend it to anyone involved in this field who wants to do something with AI.’

Ethical question

Could AI also help with data protection? "Very much so! As a DPO, you have to read and write an awful lot of dry reports. I would prefer to have a tool do that. But it must be trustworthy AND I must have the expertise to check it myself."

"However, there is also an ethical question behind it. Why would an institution want to use AI? Is it to improve working conditions or to ensure work is done faster and cheaper? Those kinds of questions are also the basis of the GDPR: the fact that something is technically possible does not automatically mean that you should want it."

"Therefore, I'm glad that SURF is focusing more and more on public values. Because at some point, you can reach a tipping point where you have to ask yourself what your organisation's purpose really is."

Text: Aad van de Wijngaart
Photos: The Beeldredaktie / Marcel van Hoorn