GDPR compliant or in control?

The session was recently organized by the CIO Platform Nederland at the Leids Universitair Medisch Centrum (LUMC). On behalf of the Dutch data protection authority (Dutch DPA) their chairman Aleid Wolfsen was scheduled on the program. Besides the many questions for the Dutch DPA, the 10 undertaken GDPR implementation steps of LUMC were presented. Margot van Ditmarsch, advisor information security of the LUMC shared their experiences and challenges. 

GDPR implementation: challenges and questions
On the same day the Volkskrant published an article about the announcement of minister Bruno Bruins of Medical care and Sports that next year everybody will manage their own medical data on every desired device, we organized our Theme session about the GDPR ‘Strategy meets Practise’ at the LUMC. In this stage of implementation of the GDPR legislation it appears to be very valuable to share with the Authority and each other the challenges and situations.  

The role of the Data Protection Officers
Aleid Wolfsen of the Dutch DPA answered the many questions from the audience extensively. He emphasised the close collaboration with the Data Protection Officers (in Dutch: Functionaris Gegevensbescherming) - (DPO’s/FG’s) of the organizations. They are crucial for the internal supervision of the data protection of the people. The Authority aims towards a good relationship with these Officers. This role (Dutch info) needs to be fulfilled in each organization that officially needs to appoint an DPO, who has direct access to the Board of Directors. Addressed was the fact that several organizations could share the same DPO, but the DPO needs to be well informed about what is going on in operations, in particular about processing personal data within the organization. Additionally, pay attention to possible conflicts of interest with this role, when this is addressed at one person being an additional task. On the site of the Dutch DPA you can find a list to get clarity about it.   

Treat the customer also as a king if it’s about data  
Of course it was also brought up that the law is interpretable from various ways. Mr. Wolfsen was very clear about that. It is about making the processing of data in accordance with the legal frameworks. The justified interest is important, but it isn’t allowed to stretch the law. The importance of maintaining the Privacy law is explained by him as: “each human being has the right to be left in peace, has the right on intimacy and the right to live in freedom. While breaching privacy, you touch the fundament of the legal order.” To indicate this fundament Mr. Wolfsen used the metaphor of a chair and it’s 4 legs. Each chair leg is part of this strong fundament: Freedom, Solidarity, Equality and Democratic legal order. Wolfsen: “If we know everything from each other or the predicative capacity increases too much, than the equality disappears.” 

Wolfsen indicated: an organization considers its customer as a king, so treat their data in the same way. The Dutch DPA is open for a conversation with trade organisations about an explanation of the liabilities. The concern of many organizations is that there will be too many applications to handle of persons who want to know which information the organization has about him/her, is partly taken away. As a former judge, Wolfsen pointed out that in general it isn’t allowed to abuse this right. If these cases will occur, the Dutch DPA is open for discussions about how to manage the many applications.  

The 10 GDPR implementation steps of LUMC
During the presentation of the use case of the LUMC, Margot van Ditmarsch presented that privacy “thinking” in a hospital is embedded for several years. Working with patient data is daily business. Negative publicity is in no one’s interest, attention for privacy is an obviousness. But besides securing the privacy of the patients, it now is also necessary to insure the data of employees and students. They have set up a project with a steering committee and work forces from the current organization to design and shape the implementation. One of the challenges is for instance to set up the processing agreements. Because of the size of an UMC, this is a very large project and the maturity of the partner in the eco system are various.

Integral approach and commitment as a success factor
During the final discussion with the participating representatives of our members it comes down to the fact that the challenges and the successes lie within an integral approach and creating integral commitment, without continuous negotiations.

From the CIO Platform Nederland we can look back on a valuable session. In which participants got enough time to share their own use cases with the Dutch DPA, got information to implement directly into their daily practise and the use case of LUMC gave inspiration to learn from each other’s experiences.