Ultimately, compliance with the GDPR is no more and less than moving as proactively as possible in a force field and choosing what you do and don't do | Tom Paffen
In this section we show how the Vrije Universiteit Amsterdam shapes privacy support with their concept of privacy champions. We conclude the paragraph with two examples of finding opportunities for privacy support.
Interview, June 2019
Since the introduction of the GDPR in May 2018, institutions have been busy arranging the necessary support. At the Vrije Universiteit Amsterdam a network of privacy champions was set up. RDNL interviewed one of the creators of the concept and a privacy champion himself.
Privacy champions are our eyes and ears in the faculties. They know what happens with personal data in the workplace and are the first point of contact for employees | Tom Paffen
"Although there hasn't really been much change in what is and isn't allowed, the GDPR has brought a lot more awareness. So that's good news. The GDPR does bring more administrative obligations", says Tom Paffen, privacy lawyer at the VU in Amsterdam.
In order to meet the increasing demand for support and to work on compliance at the same time, Tom and two fellow lawyers set up a network of privacy champions. "Privacy champions are our eyes and ears in the faculties. They know what happens with personal data in the workplace and are the first point of contact for employees", says Tom.
Tailor-made
The privacy champions were recruited by the faculty directors within the pool of current employees. They should spend at least half a day a week working on privacy related questions. In order to ensure that the privacy champions would be sufficiently prepared, Tom and colleagues developed an 8-day training course about the legal side of privacy. What does the GDPR actually say and how should you apply the rules? "The tricky thing about the GDPR is that it contains open standards. So the answer to a question almost always depends on the circumstances", Tom explains. In addition to the training, Tom and colleagues set up a special intranet page where the privacy champions can find model agreements and where they can ask questions.
At the moment, 35 privacy champions are up and running around the Vrije Universiteit Amsterdam. Steef Löwik, head of the social sciences research bureau, is one of them. Within his faculty, four privacy champions have been appointed: two for research and two for education. Steef is a privacy champion for research. "It is a fairly diverse task and requires a relatively large amount of customisation and research per question, because each case is slightly different", Steef says. "From a privacy perspective, you may have to deal with questions about the security, storage and sharing of personal data, which is closely related to data management, ethics and IT security aspects".
The future
How do Tom and Steef see the future of privacy support? At the moment, Tom and colleagues are still adjusting the network organically and moving step by step to the next level. On that next level, Tom would like to see a full-time privacy champion for each of the three domains of research, education and business operations. "The questions are really different within the domains", Tom says.
Steef hopes that the tasks will be assigned more structurally. "Within the Vrije Universiteit Amsterdam, the concept of "champions" is now also being rolled out for data management and IT. This isn't efficient. Ideally, privacy, IT, data management and ethical review should come together more", Steef thinks.
The Privacy Perfect programme is currently being implemented. Via this programme, data processing operations at the Vrije Universiteit Amsterdam are registered and Data Protection Impact Assessments (DPIAs) can also be carried out. Steef expects that the privacy champions will receive many questions about these topics. In addition, the Data Protection Officer is working on a 'privacy compliance framework'. The field is very much in motion, so to speak.
"Ultimately, compliance with the GDPR is no more and less than moving as proactively as possible in a force field and choosing what you do and don't do", Tom says.
Four tips
Tom concludes with four tips for institutions that are also considering setting up a network of privacy champions:
1. Make sure that everyone's attention is drawn to the fact that privacy is important and why
Emphasise, for example, that measures are needed to demonstrate to research participants that their data are processed in accordance with the GDPR and that this is also a condition for obtaining a grant.
2. Make sure that privacy champions are appointed
At the Vrije Universiteit Amsterdam, the privacy officers, the data protection officer and the Executive Board have acted as one. All parties quickly agreed that it was necessary to appoint the privacy champions.
3. Make sure that the privacy champions aren't left to themselves
The privacy champions must be able to rely on assistance from lawyers.
4. Make sure that the privacy champions are properly trained
Make sure that the privacy champions are well trained, both legally and in communication skills. Privacy champions are sometimes the bringers of the news that people have to change something. This means that you shouldn't be afraid of a firm discussion. Sometimes, it is difficult to have to tell researchers that they have to do things differently and change their ways.
In the spotlight
Opportunities for privacy support: part 1
In a meeting at TU Delft, 40 data supporters came up with the following shortlist of priorities for privacy support (Andrews et al. 2018):
- Create a list of trusted archives for researchers where they can deposit personal data;
- Publish an informed consent template for your researchers;
- Publish a list of FAQs concerning personal data;
- Provide access to a trusted Data Anonymisation Service;
- Create categories to define different types of personal data at your institution.
The focus of this type of list shifts over time, but of course it is the underlying principle that counts: identify gaps and opportunities together and .... Just Do It!
Opportunities for privacy support: part 2
Privacy officers, fellow data stewards, the medical ethics review committee, the data protection officer, lawyers, policy makers, information security experts, etc. Precisely because so many players are involved in privacy support, this offers opportunities for data supporters to look for synergy in the provision of support.
In the illustration that opens up when you click here, you can see, for example, a number of instruments that researchers who collect personal data may have to deal with, such as drawing up a data management plan, carrying out a Data Protection Impact Assessment (DPIA) and preparing items for an ethical review. These tools partially overlap in the questions which are asked. This looks like a promising area where data supporters and researchers can jointly explore how to align such tools. And that is exactly what LCRDM (2019) has been trying to do (post in Dutch).
Sources
Click to open/close
Andrews, H. et al. (2018). GDPR in research - what does it mean for research institutions?. Zenodo. https://doi.org/10.5281/zenodo.1408108
LCRDM (2019). Ethische toetsing, AVG en Research Data Management in de sociale wetenschappen [Blog]. https://www.edugroepen.nl/sites/RDM_platform/RDM_Blog/Lists/Posts/Post.aspx?ID=38
Privacy Perfect (n.d.) https://www.privacyperfect.com/home
