In this column, we like to take a moment to highlight a Data Protection Officer based on some 10 questions DPI asks them. Bart Grieten, DPO at Agentschap Innoveren & Ondernemen, alumnus and current Stay Tuner at DPI, is happy to answer them.
- How did you end up in the role of DPO?
I started my career at the Flemish government as a system administrator. At the then IWT, there was a need for a ‘data prevention advisor’ around 2015, something that could be combined with the role of system administrator. However, with the coming into force of the current regulations, I did not immediately become a DPO, there were still too many things to handle as an admin at the time. Ultimately, after the necessary internal questions and agreements, this was changed at the end of that year. This makes me a DPO with a technical background.
- Which part of the tasks of a DPO do you prefer?
That is definitely raising awareness and advising. The process in which you work towards a positive story together with those responsible gives me satisfaction. The idea is still alive that the GDPR is too restrictive. While you often notice that the intentions are good and the decisions are justified, that people are really close to correct processing. It is then in the dots and commas to approach certain small matters slightly differently in order to comply with the GDPR. It is that interaction with both colleagues and external parties in which you demonstrate that the GDPR is often little more than thinking through common sense about what is needed to work within the created framework. Refining the ideas of colleagues gives them a better insight. A thoughtful processing is really not that difficult within the framework we have.
- Which event in the privacy landscape has affected you the most to date?
Actually, I was quite shocked by all the questions that were suddenly asked about reports that VLAIO published in response to the corona nuisance premiums. Suddenly everyone is a privacy expert and people are shooting with live ammunition. What is less known is the accountability of the government towards the citizen. Citizens have the right to know what is being done with their tax money. Hence the obligation to publish figures. However, this material only contained data from companies with a legal personality.
In the end, this situation even led to a parliamentary question. That way you can see the impact that a digital world generates.
- How would you describe the role of DPO in your company?
A relatively classic role, a point of contact for information security. Of course there are the traditional tasks such as mandatory advice on data exchanges, you have external contacts and I will be contacted in the event of a data breach. The visibility within the organization did take some time. Everyone now knows me and questions come to me much faster. This ensures a faster handling of the cases, but just as well for referrals to the right parties inside or outside the company. It is just more than being a simple source of information.
- What do you think is the biggest challenge for a DPO?
Internally, these are the pressures and expectations that are imposed. The general workload within the organization is increasing and sometimes ‘something’ is expected from the DPO that you are simply not allowed to perform.
Externally, you notice the differences between the public and private institutions. As a government you are much more bound by the various laws. Companies, including service providers, sometimes collide with this. This is also a recurring theme at training courses and events.
- Which technological evolution do you think has the most impact on data protection (positive/negative)?
Without a doubt, number 1 is the cloud services. Within the Flemish government you see that cloud services are gradually being used more. The regulator has rightly made some comments on this in the past. Fortunately, this is a very dynamic landscape and you can see a solution for almost every problem there relatively quickly. Sensitive data can be transferred outside the E.E.A. with a clear conscience for some time thanks to good encryption. However, the evolution did not stop there, as the processing can take place outside the enterprise in safe enclaves. The providers know how to adapt quickly to the changing regulations. The innovation here goes with seven-miles boots. For this aspect I am happy with my technical background.
- What are your experiences in the contact between DPO and data subject/authority?
You should not be afraid to contact the data subject or supervisor. You have to fine-tune how you talk to a person. After all, the GDPR requires us to formulate everything clearly and comprehensibly. This also gives you some credit with which you can remove the fuse from the powder keg. You don’t just contact the supervisor in the event of a data breach. For delicate matters you can also (unofficially) present and discuss the case. In fact, exactly the same thing you do when you want to come to a good agreement with another party.
- What is your golden tip for getting data protection and information security higher on management’s agenda?
People within the organization who are sympathetic to your cause. The GDPR is not a one-man show and even with a team you cannot reach all corners of the organization. Good contacts in all departments and teams provide the necessary feeling and feedback. This is the beginning of the interaction you want as a DPO. It ensures that you are involved in projects, exchanges,… This strengthens your signal to management.
- What is your Swiss army knife as a DPO?
As a DPO at VLAIO, and therefore within the Flemish government, this is the network you build around you. The contact with the DPOs of the other Flemish entities is of an importance that should not be underestimated. They work in a similar context. You exchange ideas with them about matters that are moving in the landscape of the Flemish government. This is where knowledge sharing comes into play, coordination around similar or common projects.
- How do you keep abreast of new trends in GDPR technology and legislation?
Digital media remains the fastest source. Following the VTC, GBA and Europe (European Commissions and EDPB) with their respective advice and rulings is primary. Specialized websites give you a quick insight into what is going on in the field of technology and legislation. A nice addition are the podcasts of my namesake at a non-profit organization, very accessible even for someone who is less concerned with the GDPR. I often listen to them on the train or without passengers in the car.
Of course, you also brush up on your knowledge with training courses and events where you can continue with other DPOs in addition to the official part.