In a previous article, we updated you on the recent findings of (European) studies on the position of the FG (1). In this article, especially for government organizations, we tell you more about the position of the FG in government agencies and provide some concrete real-life examples with advice on the role of the FG.
In today's digital society, the protection of personal data is central, especially within government organizations that process a wide range of sensitive information. This immediately explains the need for an independent Data Protection Officer (FG). All the more so because the Autoriteit Persoonsgegevens (AP) strictly enforces this in government agencies, perhaps more strictly than in business. If there is a potential conflict of interest, or if the FG role is not sufficiently fulfilled, you run a real risk of enforcement. This article indicates how you can meaningfully design the FG role (and also how not to).
An FG oversees the application of and compliance with the General Data Protection Regulation (AVG) within an organization. An FG does this primarily by informing and advising the organization in the area of the AVG, for example, in conducting DPIAs and establishing policies. The FG also acts as a contact person for the supervisory authority. Appointing an FG is mandatory for government organizations.
Would you like to read more about this? On this page (2), we further explain the FG's duties and responsibilities.
In the context of the position and task performance of the FG in government agencies, the findings of the Autoriteit Persoonsgegevens (AP) in the Netherlands also deserve attention. The AP has conducted several investigations involving the role or task performance of the FG within Dutch government organizations.
For example, in 2023, the AP held discussions with the Municipality of Almere and the Municipality of Amsterdam, regarding a possible conflict of interest in the FG's duties. We wrote an article about this in September (3).
Moreover, seeking the FG's advice played a role in the investigation of the Tax Administration's Fraud Alert Facility (FSV) (4). The Inland Revenue was fined in that case because the FG was informed and involved much too late in the assessment of FSV's DPIA.
Finally, in 2021, the AP published a general vision document (5) on the positioning of the FG. In it, it is emphasized that the FG must have sufficient resources, an independent position and sufficient mandate to properly exercise his or her position. It also reiterates the danger of conflicts of interest, and in that context rules out the FG also holding positions in which he or she would have responsibility for data processing - such as the head of finance, strategy, marketing, IT, HRM or CISO.
Based on our experience, we see several issues in practice among municipalities that we would like to share some advice on. How to make the role of FG meaningful:
Involve the Data Protection Officer (FG) in timely initiatives
A common problem we find in practice is that the FG is not always involved in projects and processes within government organizations in a timely manner. This delay can lead to inefficient and ineffective performance of important tasks, such as the data protection impact assessment (DPIA). It is essential to engage the FG early in projects to advise on privacy-related issues and identify potential risks. Engaging the FG in a timely manner can prevent problems and ensure that the DPIA is conducted efficiently and effectively. We have found that the lack of timely engagement with FGs leads to frustration (6), both with the FG himself and with other stakeholders within the organization.
Above all, have a focus - and involve the FG - on privacy at the operational level
Another striking aspect in practice is that privacy is often integrated to a limited extent at the operational level ("the shop floor"), particularly in municipal Customer Contact Centers (CCCs) and similar departments. While privacy considerations may be taken into account at the strategic level when implementing new projects, their integration at the operational level lags. This is particularly evident in processes such as telephone verification (7), where privacy concerns such as data processing and protection may not be adequately addressed. Ask yourself: Do we have agreements on paper about how we verify through each channel, such as on the phone whether we are speaking to the right person and what information we share through which channel? If not, especially engage with the FG about establishing processes. It is desirable that privacy becomes an integral part of training and processes at the operational level, in line with the requirements of the AVG. Making employees aware of privacy issues and teaching them proper procedures can improve personal data protection and minimize potential privacy risks. DMCC has developed special e-learnings for this purpose for municipalities (8).
Share best practices and give the FG space and resources to collaborate internally and externally.
A third observation that emerges in practice is that municipalities deal with privacy in very different ways, in privacy policies and practices. Despite the legal requirements of the AVG and the guidelines of the Autoriteit Persoonsgegevens, it appears that municipalities vary in their approach to data protection. For example, we also see municipalities disregarding the advice of the FG (9), which poses privacy risks. This is precisely why it is so important to give the FG the resources and space (10) to make the most of his or her role. If municipalities deviate a lot from each other, it can lead to confusion among citizens and other stakeholders, and it can compromise the effectiveness of privacy protection. It is therefore valuable if municipalities strive for more consistency and cooperation in privacy protection, for example, by sharing best practices and developing common guidelines.
Investigations at municipalities such as Almere and Amsterdam regarding possible conflicts of interest send a clear message: the position of the FG must be safeguarded from any conflict of interest. These situations offer valuable lessons for government organizations.
What can you learn from the studies on the position of the FG?
Data Protection Officer (FG)
AP slams municipalities for dual role of FG
https://www.autoriteitpersoonsgegevens.nl/actueel/zwarte-lijst-fsv-van-belastingdienst-in-strijd-met-de-wet
https://www.autoriteitpersoonsgegevens.nl/documenten/positionering-van-de-fg-uitgangspunten-rollen-processen-en-verantwoordelijkheden
https://www.binnenlandsbestuur.nl/digitaal/bits-freedom-reikt-privacyprijs-uit-aan-functionaris-gegevensbescherming
SVB AP fine implications: telephone customer service must better verify caller identity
Privacy & security for municipal customer contact center
https://www.agconnect.nl/maatschappij/overheid/gemeenten-negeren-interne-privacytoezichthouders
What can you learn from the studies on the position of the FG?
