The GDPR offers citizens more control over their data than the current legislation. There are more measures being implemented to prevent data leaks and to allow complaints to be made through which the supervising authority will be able to levy major fines. The new measures also oblige large organisations, such as the VUB, to appoint a Data Protection Officer. And that DPO is Audrey Van Scharen. As a legal expert, she evenly splits her time between the Legal Ethics Office for the R&D department and drafting the GDPR policy at the VUB.
You need to check whether people have in fact given their permission for you to send them, for example, a newsletter.
Changes in email culture
‘Employees will more frequently need to question whether they are using personal data. And exactly how they need to handle it. This is where the problem lies, especially in relation to the email culture that is prevalent today. Don’t forward any large Excel files by email. Put them on SharePoint instead. And when you send out emails, rather than putting everyone in Cc, hide their email addresses (e.g. by using Bcc). Remember that you need to have permission from the recipient or another legal ground for using someone’s email address when you send bulk mail or newsletters. You also need to check whether the personal details you have are permitted to be used for that purpose. And you must make sure that people have in fact given their permission for you to send them, for example, a newsletter.’
The solution is to create one single, communal database with sufficient access for the people who need to work with it.
Sharing is caring
‘We would prefer to move away from having individual Excel files on individual employees’ computers; it makes it virtually impossible to implement the rights of the parties involved. If, for example, someone wants to be removed from our system, we will have difficulty deleting their details from every individual file. The solution is to create one single, communal database with sufficient access for the people who need to work with it. But perhaps this is easier said than done, which is why we are investigating all suitable options at the moment.’
In a register, you list which details you have, who they are about, where you saved them, how long they can be kept, and which details need to be destroyed or monitored.
A new inclusion in the legislation is the construction of a register for the processing activities of the data. ‘In that register, you list which details you have, who they are about, where you saved them, how long they can be kept, and which details need to be destroyed or monitored. By far, the majority of the data needs to remain anonymous. And while it often appears to be, it’s not always the case. If, for example, you have a data file of students that includes their ages, schools and postcodes, a combination of those three details is not anonymous. IP addresses also qualify as personal data.
It’s good to know that every service and researcher at VUB takes responsibility for the correct handling of personal data.
Everyone is responsible
‘One of my most important tasks is making everyone aware of the cultural change that this legislation brings with it. A lot of services make use of personal data. Researchers, in particular, like to have as much data as possible. It’s good to know that every service and researcher at VUB takes responsibility for the correct handling of personal data. Before 25 May, I’ll be visiting every department to give advice. We will then run through the register together to determine what needs to be saved and what doesn’t.'
Read more under the picture
Team work
25 May is coming up quickly. Fortunately, the DPO is not the only person to turn to.
‘An important role is played by our security consultant Jan Paredis. He gives expert advice on securing personal data, lodging authorisation requests with the privacy commission for inspecting personal data, and handling reports relating to data leaks. Externally, there’s also an interdisciplinary workgroup with other universities and internally, I’ve had a great deal of preparatory work from Ward Vansteenkiste and the VUB Centrum voor Academische en Vrijzinnige Archieven. In 2016, for the Algemeen Strategisch Plan 2 (ASP2) project Duurzaam Digitaal, they had made a very large inventory; we are now working on this together to create the register. For the Algemeen Strategisch Plan 2030, the successor of the ASP2, an important project on data governance has already been foreseen, with the KennisDataPlatform under the lead of Walter Ysebeart. Of course, this focuses on more than just personal data. But in every case, there is a beautiful future for VUB data on the horizon.’
Would you like to know more about GDPR?
Contact Audrey Van Scharen at dpo[at]vub.be