Overseeing compliance with privacy laws, providing data protection advice, and collaborating with the Dutch Data Protection Authority (Dutch DAP) are part of the extensive responsibilities of Data Protection Officers (DPOs). Yet, this role continues to expand.
So, how can we effectively manage this evolving situation? Moreover, how do we support DPOs in their expanding roles without overburdening them, ensuring that privacy protection remains uncompromised? Walter van Wijk Information Security and Privacy Protection Center (CIP), sheds light on the challenges faced by DPOs and the steps they, along with administrators, can take.
What are the challenges DPOs are facing?
Van Wijk explains, “DPOs are dealing with various types of developments. These include legislative changes such as the European AI Act and the Data Governance Act (Wdo). They are also facing technological advancements, notably the increasing use of algorithms and Privacy Enhancing Technologies (PET). In addition, DPOs are increasingly collaborating with other parties to manage data sharing securely and ethically across organisations for societal benefit. They also interact with emerging roles, such as Chief Data Officers and Chief Privacy Officers.
Being a DPO is already quite demanding, with the role consisting of a vast task load. The urgency is high as developments are both tangible and relevant, raising concerns in a privacy-conscious context as in the Netherlands. That’s why it’s crucial to bring attention to this promptly.”
How do we address this?
Van Wijk believes the solution lies with both administrators and DPOs. “Administrators must adapt their organisations to these developments. A responsible administrator should manage personal and sensitive citizen data with utmost responsibility. This might mean scaling up, also horizontally. A DPO needs to be more than just a legal expert; they should also have knowledge in areas such as change management, communication, business operations, and governance.
Furthermore, it’s imperative for DPOs to engage with their peers, sharing and gaining knowledge to evolve professionally. Organisations such as the Information Security Service (IBD) of the Association of Dutch Municipalities (VNG), the Dutch Society of Data Protection Officers (NGFG), and CIP already offer such opportunities. Given a DPO is often a solitary role within an organisation, these interactions are particularly valuable.”
Van Wijk advises DPOs to prepare for the future. “Administrators will increasingly seek advice on various developments. It’s important for DPOs to set achievable goals and prioritise. Recognising that not everything can be a top priority is vital. This task demands resilience because there is pressure from society, on an administrative level, from ministries, or other government organisations. DPOs should engage in dialogue with administrators to establish clear agreements. They also need to make precise and achievable agreements with other privacy professionals within the organisation about responsibilities and priorities.”
How can privacy and quality be guaranteed?
Van Wijk adds, “Overall, the Netherlands maintains a good level of privacy protection, and we certainly want to keep it that way. That’s why it’s important for both administrators and DPOs to anticipate developments to continue safeguarding privacy.”
To ensure the professional standards of DPOs, Van Wijk highlights CIP,’s role, commissioned by the Ministry of Justice and Security (JenV), in creating a national registry, the National Register for DPOs (NRFG). This aims to strengthen supervision of personal data processing by evaluating and reinforcing the qualifications and capabilities of DPOs.
What steps can DPOs and administrators take now?
“Organisations differ, each with unique privacy requirements and risks. The Tax and Customs Administration, for example, is likely engaged in different steps than a municipality,” says Van Wijk. He stresses the importance for organisations to assess what can be done right now to support their DPOs in upholding privacy standards. Identifying key priorities is the first step.
He elaborates, “CIP is actively involved in supporting DPOs and other privacy professionals in the public sector. Our goal is to provide them with current information, foster a network for sharing knowledge, and assist in their professional development. This includes our Pleio environment. We also have an Information Security and Privacy (IB&P) consultation service where you can drop by without an appointment for questions or support.” CIP has also organised various DPO Cafés. “Interested parties are encouraged to reach out,” says Van Wijk.
To do so, please contact cip@cip-overheid.nl.