The legislation also has various consequences for the university and scientific research. For example, the university was obliged to appoint a data protection officer. Marlon Domingus has had this role since 1 April. He is overseeing the university’s preparations for the GDPR. Because everyone, employees and students alike, who has anything to do with personal data will have to comply with the new rules, and that has consequences.
What is changing because of the introduction of the GDPR?
“Privacy principles such as those that were already conceived in the eighties still actually apply. What is really changing is that organisations have to be able to demonstrate that they have things in order. It is now much easier for citizens to report a breach of privacy than it used to be. Put simply, the burden of proof has been reversed. You have to be able to show exactly what you are doing with personal data. Furthermore, consent has to have been clearly given in order to be allowed to use the data.
“Fines are now also higher than in the old Wet Bescherming Persoonsgegevens (Data Protection Act or WBP): up to 4 percent of your company’s revenue, with a maximum of 10 million euros for a minor offence. The maximum fine for serious offences is 20 million. It is particularly alarming for management, since they’ll be the ones seeing the fines come in.”
How likely are you to be fined?
“If there was a data breach, for example, the Autoriteit Persoonsgegevens (Personal Data Authority) would investigate. They would then advise how to prevent such an event in the future. You would have to learn from these mistakes. If you continued to commit minor violations, then you would end up in the 10 million euro category. But I don’t expect that you will immediately be fined for just losing a USB stick. Serious offences would be events such as data breaches involving special categories of personal data, or the processing of such data without a valid reason.”
What has the university done over the past months to prepare you for the GDPR?
“We have campaigned a lot to raise awareness amongst researchers and employees. For example, we sent fake phishing emails to see how employees would deal with them. We have been trying to improve basic knowledge by organising events and training courses, sending newsletters and occasionally I write blogs. We have also set up a department that does everything that is needed to secure privacy within the organisation. Any type of processing of data at the university has to be included in the ‘processing registry’. This specifies, among other things, the roles and responsibilities of those involved in processing, what kind of data he or she handles and the purpose of the data. If the Autoriteit Persoonsgegevens pays us a visit, then I can easily show them an overview.”
What kind of consequences will the new system have for researchers?
“Scientific research has been granted exceptions in the legislation. For this reason, there is a greater degree of flexibility. The researchers who already work with a lot of personal data, such as social scientists, are already very aware of the sensitivity of the information. They even sometimes have rules of conduct that are stricter than the GDPR. Some of the problems for research with personal data are already being solved by technology. For example, we have a platform for the secure exchange of personal data, the EUR document vault. In this fully encrypted environment, a researcher is completely in control of his or her data. You can set criteria, such as that a folder must be closed off after four years, or is only accessible for certain researchers or team members.
“Once you have solved the technical problems, the remaining issues are mostly ethical in nature. What do you want to investigate and do you have a good reason to do so? Would you be comfortable to read about your research proposal in the newspaper? Would you want your own son or daughter to be involved in your research? Answers to these questions are often very revealing.”
How will the introduction of the legislation affect students?
“Students make use of the same research tools. The GDPR will also be part of their training. The intention is that it will become a logical part of research: just check that you are complying with all the privacy rules. Another issue is learning analytics, the analysis of students’ data to improve the education process. This will be possible with the new platform Canvas that is being introduced in September. But first we need to weigh all pros and cons, and decide whether to turn those analytics on. That is why we want to hear what the students want. What feels comfortable and what does not? That is also one of the rules in the GDPR: involve the target group.”
Can students also ask which of their data the university is storing, as required by the GDPR?
“Yes, they can. There’s a button for that on the web page of the EUR Privacy Statement. But if someone asks that now, we would have to do it manually, which is a lot of work. We intend to use better designed software to solve this issue. There are a lot of misconceptions regarding the ‘right to be forgotten’. For example, if you ask to be deleted from our administration while still studying here, we cannot help you. It is only possible if the information no longer has a function.”
Can student associations still post photos of parties on Facebook after the legislation’s introduction, for example?
“Of course, but it is always a question of being sensible. That applies to social media in general. For example, if we are holding an event, then we will announce that we will be taking photos to give an impression on social media. And people can always object. You also have to consider whether posting a photo is reasonable: does someone in the photo look strange, and are you violating his or her privacy? You do not need everyone’s explicit permission in advance.”
Has the university managed to comply with the GDPR’s requirements by 25 May?
“You will always be able to find someone on the campus who does not know about it. And another thing that has not yet been fully dealt with is the issue of working with telephones, laptops and tablets in a secure manner. Staff doesn’t always realize how interesting they are as a target, for example when they log into public wifi access points. And we are still working on data processing agreements with some software suppliers. In these agreements, we have to establish what the companies can do with our personal data. But I seriously do not think that the Autoriteit Persoonsgegevens will be banging on our door on Monday, ready to dish out fines.
Is the fear that people and organisations have of the GDPR justified?
“You have to handle a great deal of misunderstanding. The GDPR is difficult to read. It’s a norm, not a checklist. It is just like it was with copyright laws: people think it’s annoying and difficult, but ultimately it is there to help and protect us. In the end, you just have to use your common sense and treat people how you would like to be treated.”
If you have any further questions about the GDPR, then you can always reach Marlon Domingus at [email protected].