Under the GDPR, companies processing personal data are obliged to implement a number of measures. They must clearly state on paper what kind of data they collect, how they store it, who has access to it, and what the purpose of collecting the data is. The law requires an account of all these steps in a record of processing activities (ROPA).
Where appropriate, companies and institutions must carry out a data protection impact assessment (DPIA): an analysis of the privacy risks associated with a personal data-intensive process.
Initially, there was a lot of emphasis in the media on the height of possible fines: ranging from a warning to the suspension of business activities and fines up to € 20 million or 4% of the total annual turnover. It has certainly contributed to the rise of awareness of the importance of data protection.
The first year
A recent study by Motivaction suggests that more than 50% of the organizations involved have now appointed a Data Protection Officer (DPO). Usually within their own staff. Sometimes outsourced to a third party.
Strikingly, more than 73% of those involved indicated that there was much more involved than expected. The main reasons: the selection of the DPO, the design of data processing agreements, and the creation of awareness and the training of staff.
In its first year of GDPR, about 13% of the institutions regularly received requests related to their data individuals. 7% of these requests referred to ‘the right to be forgotten, that is: the elimination of a person in the administration. These numbers are expected to grow. Especially lager organizations will benefit from the automatization of the production of reports on all data processing (ROPAs).
In the Netherlands, the law enforcement – the Dutch Data Protection Agency, the Autoriteit Persoonsinformatie (AP) – quickly doubled its monitoring capacity. Carrying out random checks in government agencies, banks and insurance companies, hospitals and other healthcare institutions. The National Police, the Dutch Tax Office, the Chamber of Commerce and the Employee Insurance Agency (UWV) were criticized and ordered to review part of their policies. Sometimes with a charge under penalty.
The first fine
Recently the GDPR fine has been issued. The Haga hospital has been charged € 460,000 for its careless handling of patient data. The AP investigated the hospital’s security of the patient data brought to the public on air by EenVandaag. The news show reported dozens of hospital employees unnecessarily accessed medical files of reality star Samantha de Jong (publicly known as ‘Barbie’).
The AP concluded that the hospital did not comply with its own security rules. The Haga Hospital also checked too little who was not authorized to look at which patient file. Hospitals must take measures to ensure that employees cannot just browse through patient data. "The relationship between a care provider and a patient should be completely confidential. Even within the walls of a hospital. It doesn't matter who you are," says Aleid Wolfsen, AP’s chairman.
From compliance to commitment
Pushed by the menace of fines, more than ever companies and institutions realize that they need to comply with the rules. And I think they better understand the inherent values of protecting the personal data of customers and employees. Privacy First consultant Van der Veen refers to the Health and Safety legislation: "You may wonder why you have to buy good, expensive chairs for your employees, until you understand that bad chairs lead to absenteeism due to illness and less good employees”.
For today's digital economy the security of data is imperative. It provides competitive advantages and offers opportunities for a meaningful relationship with all stakeholders. On the other hand, poorly managed security undermines confidence in a digital transformation.
Apart from the blatant curiosity of the staff and the nonchalance of the management at Haga, the practice is contumacious.
Properly controlling access to the electronic patient record in hospitals like Haga, with over 3,600 staff and 275 specialists, is no easy task. Privacy must be guaranteed, but also employees must be able to do their work properly. New employees start every day and others leave. People change jobs and sometimes, due to illness, a colleague has to take over a few hours before a shift starts. After all, health care is 24/7. This places high demands on systems and on discipline.
Trick is the combination of defined restrictions in access and a system of checks and balances to monitor afterwards; so that you know who has seen which file. These are the rules, but in practice it is almost impossible to regulate data protection conclusively without compromising workability. That is why simply ticking boxes will not work. We need involvement of institutions and the employees to treat personal data responsibly and with respect: a mind shift from 'compliance' to 'commitment'.
First steps in GDPR are taken; there is awareness, and companies are starting to get used to the new status quo. It is good companies and institutions digitally know their customers, patients, citizens well. It is good that every day’s decent manners – as a matter of course – have a digital component. The protection of digital privacy is a cornerstone for the successful digitization of society. The rules are set. Next is enforcement. And in the coming years we will come across many smaller and bigger issues that need attention to specify decent digital manners.
Related articles / whitepapers