"Although there hasn't really been much change in what is and isn't allowed, the GDPR has brought a lot more awareness. So that's good news. The GDPR does bring more administrative obligations", says Tom Paffen, privacy lawyer at the VU in Amsterdam.
In order to meet the increasing demand for support and to work on compliance at the same time, Tom and two fellow lawyers set up a network of privacy champions. "Privacy champions are our eyes and ears in the faculties. They know what happens with personal data in the workplace and are the first point of contact for employees," says Tom.
The privacy champions were recruited by the faculty directors within the pool of current employees. They should spend at least half a day a week working on privacy related questions. In order to ensure that the privacy champions would be sufficiently prepared, Tom and colleagues developed an 8-day training course about the legal side of privacy. What does the GDPR actually say and how should you apply the rules? "The tricky thing about the GDPR is that it contains open standards. So the answer to a question almost always depends on the circumstances," Tom explains. In addition to the training, Tom and colleagues set up a special intranet page where the privacy champions can find model agreements and where they can ask questions.
At the moment, 35 privacy champions are up and running around the Vrije Universiteit Amsterdam. Steef Löwik, head of the social sciences research bureau, is one of them. Within his faculty, four privacy champions have been appointed: two for research and two for education. Steef is a privacy champion for research. "It is a fairly diverse task and requires a relatively large amount of customisation and research per question, because each case is slightly different," Steef says. "From a privacy perspective, you may have to deal with questions about the security, storage and sharing of personal data, which is closely related to data management, ethics and IT security aspects."
How do Tom and Steef see the future of privacy support? At the moment, Tom and colleagues are still adjusting the network organically and moving step by step to the next level. On that next level, Tom would like to see a full-time privacy champion for each of the three domains of research, education and business operations. "The questions are really different within the domains," Tom says.
Steef hopes that the tasks will be assigned more structurally. "Within the Vrije Universiteit Amsterdam, the concept of "champions" is now also being rolled out for data management and IT. This isn't efficient. Ideally, privacy, IT, data management and ethical review should come together more", Steef thinks.
The Privacy Perfect programme is currently being implemented. Via this program, data processing operations at the Vrije Universiteit Amsterdam are registered and Data Protection Impact Assessements (DPIAs) can also be carried out. Steef expects that the privacy champions will receive many questions about these topics. In addition, the Data Protection Officer is working on a 'privacy compliance framework'. The field is very much in motion, so to speak.
"Ultimately, compliance with the GDPR is no more and less than moving as proactively as possible in a force field and choosing what you do and don't do", Tom knows.
Tom concludes with four tips for institutions that are also considering setting up a network of privacy champions: