GDPR compliant or in control?

GDPR compliant or in control?

2018-03-26 Nieuwsbericht GDPR.jpgTuesday 03 April 2018

“A very interesting and interactive session in which Aleid Wolfsen, chairman of the Dutch data protection authority, answered directly all questions. Great!” This was one of the reactions of one of the more than 30 participants of the Theme session about the Implementation of the GDPR.

The session was recently organized by the CIO Platform Nederland at the Leids Universitair Medisch Centrum (LUMC). On behalf of the Dutch data protection authority (Dutch DPA) their chairman Aleid Wolfsen was scheduled on the program. Besides the many questions for the Dutch DPA, the 10 undertaken GDPR implementation steps of LUMC were presented. Margot van Ditmarsch, advisor information security of the LUMC shared their experiences and challenges. 

GDPR implementation: challenges and questions
On the same day the Volkskrant published an article about the announcement of minister Bruno Bruins of Medical care and Sports that next year everybody will manage their own medical data on every desired device, we organized our Theme session about the GDPR ‘Strategy meets Practise’ at the LUMC. In this stage of implementation of the GDPR legislation it appears to be very valuable to share with the Authority and each other the challenges and situations.  

The role of the Data Protection Officers
Aleid Wolfsen of the Dutch DPA answered the many questions from the audience extensively. He emphasised the close collaboration with the Data Protection Officers (in Dutch: Functionaris Gegevensbescherming) - (DPO’s/FG’s) of the organizations. They are crucial for the internal supervision of the data protection of the people. The Authority aims towards a good relationship with these Officers. This role (Dutch info) needs to be fulfilled in each organization that officially needs to appoint an DPO, who has direct access to the Board of Directors. Addressed was the fact that several organizations could share the same DPO, but the DPO needs to be well informed about what is going on in operations, in particular about processing personal data within the organization. Additionally, pay attention to possible conflicts of interest with this role, when this is addressed at one person being an additional task. On the site of the Dutch DPA you can find a list to get clarity about it.   

Treat the customer also as a king if it’s about data  
Of course it was also brought up that the law is interpretable from various ways. Mr. Wolfsen was very clear about that. It is about making the processing of data in accordance with the legal frameworks. The justified interest is important, but it isn’t allowed to stretch the law. The importance of maintaining the Privacy law is explained by him as: “each human being has the right to be left in peace, has the right on intimacy and the right to live in freedom. While breaching privacy, you touch the fundament of the legal order.” To indicate this fundament Mr. Wolfsen used the metaphor of a chair and it’s 4 legs. Each chair leg is part of this strong fundament: Freedom, Solidarity, Equality and Democratic legal order. Wolfsen: “If we know everything from each other or the predicative capacity increases too much, than the equality disappears.” 

Wolfsen indicated: an organization considers its customer as a king, so treat their data in the same way. The Dutch DPA is open for a conversation with trade organisations about an explanation of the liabilities. The concern of many organizations is that there will be too many applications to handle of persons who want to know which information the organization has about him/her, is partly taken away. As a former judge, Wolfsen pointed out that in general it isn’t allowed to abuse this right. If these cases will occur, the Dutch DPA is open for discussions about how to manage the many applications.  

The 10 GDPR implementation steps of LUMC
During the presentation of the use case of the LUMC, Margot van Ditmarsch presented that privacy “thinking” in a hospital is embedded for several years. Working with patient data is daily business. Negative publicity is in no one’s interest, attention for privacy is an obviousness. But besides securing the privacy of the patients, it now is also necessary to insure the data of employees and students. They have set up a project with a steering committee and work forces from the current organization to design and shape the implementation. One of the challenges is for instance to set up the processing agreements. Because of the size of an UMC, this is a very large project and the maturity of the partner in the eco system are various.

Integral approach and commitment as a success factor
During the final discussion with the participating representatives of our members it comes down to the fact that the challenges and the successes lie within an integral approach and creating integral commitment, without continuous negotiations.

From the CIO Platform Nederland we can look back on a valuable session. In which participants got enough time to share their own use cases with the Dutch DPA, got information to implement directly into their daily practise and the use case of LUMC gave inspiration to learn from each other’s experiences.

« Back

More news

CIOTV #75 What about the maturity of digital transformations? With Martijn Koning and Arthur Govaert

ciotv 75 martijn en arthurMonday 04 July 2022 In this special seventy-fifth episode of CIOTV, current chairman Martijn Koning (Chief Digital & Sustainability Officer AutoBinck Group) and former chairman Arthur Govaert (VP Innovation Program ... full story

Fair Principle 3: Customers shall remain in control of their own data and all the data uploaded or processed by the service/solution.

Fair Principle 3Thursday 30 June 2022 Business users associations Beltug, Voice, Cigref and CIO Platform Nederland call for a balanced cloud market: 11 fair principles to unleash Europe’s digital potential. Fair principle 3 calls for customers to remain in control of their own data and all the data uploaded or processed by the service/solution. full story

Fair Principle 2: Vendors must not create a technical or commercial lock-in

Fair Principles 2Thursday 23 June 2022 Business users associations Beltug, Voice, Cigref and CIO Platform Nederland call for a balanced cloud market: 11 fair principles to unleash Europe’s digital potential. Fair principle 2 calls for every vendor to avoid creating a technical or commercial lock-in. full story

Urgent call to European Commission regarding the European Cybersecurity Certification Scheme for Cloud Services (EUCS)

2021-05-18 Terugkoppeling gesprek met Europese Commissie over digitale technologiebeleid.pngWednesday 22 June 2022 CIO Platform Nederland calls on the European Commission not to adopt the EUCS until the consequences for business users in industry and government in Europe have been thoroughly investigated, a consultation of stakeholders has taken place and the responsible political bodies have weighed up the digital autonomy, costs and benefits of a decision. full story

View all news items through the archive