Legally, nothing much has changed
MAASTRICHT. “No need to panic, but make sure that you are prepared.” This is what Raoul Winkens, the mandatory data protection officer says about the consequences of the introduction of the new European data protection regulation at Maastricht University, on the 25th May.
What else does he say? Something that will seem rather surprising to the average person/employee. Because this new General Data Protection Regulation (GDPR) has been in the news so prominently these last few weeks - people have been receiving lots of e-mails from places they didn't even know had their data on file - that the GDPR seemed to be nothing short of a landslide for institutions such as a university.
But Winkens remains stoic: “Actually, very little has changed for the UM. What is not allowed now, wasn't allowed under the previous privacy legislation.” Such as? “Take a secretary's office where personal data is stored unlawfully in an Excel file and without a set time for their deletion. Just because this is handy. Something like that was not allowed before and it is still not allowed.”
Something that was and is not allowed either, is saving an e-mail from years ago that includes an attachment with someone's CV. Winkens: “When it comes to job interviews, CVs from candidates who didn't get the job must be deleted within four weeks after the procedure has been completed. If you think that someone may be suitable for another position at a later stage, you may save it a little longer. The Data Protection Authority reckons that a year is long enough. And even then, only with the candidate’s consent.”
The problem with the old privacy legislation, the Data Protection Act from 2000, was that hardly anybody knew about it, had no sanctions for a long time (until 2016) and so, according to NRC Handelsblad, “was widely ignored”.
The new regulation, on the other hand will be actively enforced, the Data Protection Authority promises. The organisation has recruited additional personnel for this purpose and tasks and authorities have been expanded. Not only have the fines that can be imposed been harmonised in all EU countries, but they are also higher than before: up to 4 per cent of the turnover, with a maximum of twenty million. For the UM, 4 per cent would equal 16 million euro.
This is however, an ultimate remedy. The Data Protection Authority, Winkens explains, has a larger repertoire of sanctions besides fines: warnings, recommendations, a ban on the processing of certain data, et cetera, of increasing severity.
Part and parcel of the intensified monitoring is the mandatory appointment of a data protection officer (DPO) for large institutions and businesses. This person monitors compliance with the regulation. Winkens does so here at the UM. Will those concerned (students, employees, test subjects, others) hear what parts of their data are being collected and has permission been requested? Also for what purpose? And is that data not stored too long? Who has access to it? Ultimately the UM, and its various sections, must be able to prove that they comply with the legal requirements. “That will never be 100 per cent,” says Winkens, “after all, people make mistakes; but you have to show that there is a data protection policy in place.”
The DPO does more: he informs employees, he gives advice, he provides training. It is important that he is independent. Winkens may be employed by the UM, but “if bosses don't agree with my actions, this has no consequences for my position. As is the case, for example, for the security official.”
If Winkens discovers a problem, he will notify the Executive Board. If the latter does not respond adequately, he may take the matter to the University Council, to the Supervisory Board, and ultimately to the Data Protection Authority. But that is a hypothetical case, “if matters are brought to the DPA, things have actually gone too far,” he says.
Perhaps legally not much has changed, but the major change will be in people’s awareness, says Winkens. “Employees will have to be more careful. No longer saving personal data on an unprotected USB memory stick, not saving data in your private Dropbox, not saving unnecessary copies, and if you do save copies, do so in a locked cupboard; we have drawn up a list of do’s and don’ts. It can be found on the UM website.”
Winkens’ greatest attention will go to the sections of the UM that process sensitive information. This mainly concerns Randwijck, where patient and test subject data is stored. But things can also go wrong elsewhere within the university. “If a laptop containing personal data is lost, this causes a potential data leak. Even if the data consists merely of names and addresses, this need not be harmful, although it is unpleasant. I write annual reports for the Executive Board, but these are published, so the world gets to know about it. Something like that leads to image damage for the UM, it could even lead to fewer student enrolments. So, I am on the alert for that.”