With the introduction of the AVG legislation, many organizations are searching diligently for a Privacy Officer. Because while it is not mandatory, its appointment within an organization is desirable. But in the particularly tight labor market, this turns out to be not so easy. Data&Privacyweb delved into the story of the Privacy Officer. What should you be able to do?
Every company or organization has a marketing department, and since the introduction of the General Data Protection Act, or AVG for short, they are sometimes at a loss for words. What can and cannot you do based on this legislation? How long can you keep customer data and how do you do that without someone having access to it, or perhaps even leaking it? In other words, when are you in violation?
Because of the AVG (from 2018) and all the new legislation still to come from the European Union, organizations want to hire people who know the ropes when it comes to privacy and data processing. A Privacy Officer is often chosen. It's a much sought-after candidate, a look at LinkedIn's job feed reveals. There are nearly 300 job openings out, so you have it all to choose from as an (aspiring) Privacy Officer, especially in an already strained job market. A major health insurer like Achmea was looking for one until recently, and Rabobank is also recruiting. Recruiters are scouring career sites looking for the right candidate.
The Privacy Officer ensures compliance with the AVG within an organization and ensures that privacy and data processing is in safe hands with every employee who collects personal data. A PO provides advice and support, gives internal training and has a role in reporting data breaches. So an important set of duties, especially at a time when the importance of privacy is becoming increasingly pervasive. In addition, within large organizations in particular, you have a Data Protection Officer (FG). This, unlike the Privacy Officer, is mandatory for governments and certain so-called data-intensive organizations. That is the biggest difference between the two functions, which otherwise have a few commonalities, says Gerrit-Jan Zwenne, a lawyer at Pels Rijcken and professor of law and the information society at Leiden University.
After all, they are both concerned with privacy laws. The FG is supposed to operate independently of the board, Zwenne emphasizes. 'The board is not allowed to instruct the FG where his supervision matters are concerned but of course it is allowed for other (practical) matters such as working hours. The privacy officer does receive instructions from higher up: would you like to draw up a privacy statement or a request for inspection? That sort of thing. Note, he says: the obligation to comply with the AVG always lies with the organization itself.
As an organization or company, you are not required to appoint a Privacy Officer, but in the case of the Data Protection Officer, it is sometimes different. For those organizations that process special personal data , such as health data, on a large scale and engage in extensive observation of public space, an FG is necessary under the AVG. That includes large public organizations such as a hospital or a ministry. The FG is the point of contact for the Autoriteit Persoonsgegevens, and vice versa. In practice, it's mostly e-mail contact, Zwenne says: "It often doesn't amount to much yet, unfortunately.
Back to the Privacy Officer. So that one is proving popular. But what do you need for it? Data&Privacyweb asked Carla Brinkman, working as Privacy Officer at Wageningen University & Research (WUR), along with twelve privacy colleagues. Our editors tracked her down through our LinkedIn page. She landed that post a year and a half ago after years of professional experience in the data field. She has a communications background, not a legal one. What mainly drives her is interest. "I had been working with online communities and data for a long time, also professionally, and was curious about how we deal with data. It's terribly important, precisely because data is worth so much.'
Brinkman notes that not everyone immediately understands the importance of privacy and data processing. 'It remains difficult. The urgency is still sometimes lacking.' Many scientists work at Wageningen University and Research, for example, and they are all very busy with their research. They sometimes experience the emphasis on data management, AVG and privacy as an extra burden: do I really have to do that as well? Her communications background helps with this. 'You need a healthy dose of persuasiveness and assertiveness. I approach people directly. And you have to present the subject matter in a fun way. With humor and appealing examples. So that it's not all so abstract.'
What also helps is holding up a mirror to colleagues, Brinkman points out. 'How would you feel if your personal data were not protected?' According to her, awareness is key. 'The principle of unknown makes unloved applies enormously here. You can solve a lot by explaining. Because when I ask: but what do you actually collect? Well, that often turns out to be personal data. That's exactly where the AVG comes in, I tell them. People then take it seriously, is her experience. She has never experienced anyone who said: I don't care about this at all. No, that doesn't actually happen.
But all is not self-evident. Brinkman: 'I think there is always room for improvement here at WUR. It has to stay in people's minds: privacy is important.' Gerrit-Jan Zwenne acknowledges that many employees are not yet fully aware of this. 'Of course it is all still relatively new, but it just has to be done. When paying income tax, nobody asks themselves the question: do I feel like doing this?'
We need to take the profession of Privacy Officers more seriously, he believes. And perhaps even require special training for this position. After all, optimal knowledge of the AVG is incredibly important. 'Too often the Privacy Officer says: don't do it. It is not allowed under the AVG. And that then turns out to be completely wrong, because there is insufficient knowledge of the law.' According to him, there is still a world to be won there. Under certain conditions, certain data processing is allowed. Thorough training is therefore essential.
