NWO-I and the GDPR
Cora Arts, Central Privacy Coordinator: “There’s still a lot to do; the GDPR process is never finished”
Say your institute is participating in the Science Weekend. How do you organise the registration of all the participants, and which information do you need from them? Which agreements do you make as regards privacy, such as taking photos at the event? All these questions are related to the GDPR which took effect on 25 May 2018: the General Data Protection Regulation. This regulation strengthens people’s privacy rights and imposes more obligations on organisations when it comes to processing personal data. Cora Arts, the Central Privacy Coordinator (CPC) at NWO-I, is working with the institutes and the NWO-I office to draw up guidelines and she agreed to talk to us about them.
Institutes share knowledge
‘I started working at NWO-I over one and a half year ago when I came to help the office and the institutes with the further implementation of the GDPR’, Cora tells us. She works for the Privacy Company and was engaged by NWO-I. ‘Each institute has its own privacy team with one or more privacy coordinators. We meet once a month for functional talks with the privacy coordinators where we share what we are all doing and discuss topics such as how we deal with things like images from surveillance cameras, personnel files, privacy statements, data leaks and involving employees in the GDPR. We then draw up joint processes and take a look at how we can organise the GDPR in a practical sense. I coordinate the meetings, connect people in and between institutes and advise the team of privacy coordinators. Many privacy coordinators also come from an IT and information security background, such as Wim Pool (head of IT at NIOZ), Cees van der Ven (head of IT at AMOLF), Miranda Breugem (security specialist at DIFFER), Ronald Sarink (IT manager at Nikhef) and Hans Bloemen (head of IT ASTRON). We’ve created some excellent documents recently in conjunction with all the institutes and found a great deal of consensus.’
‘Putting the GDPR into practice in the form of security, deleting data and setting up processes is largely the same for all the organisations, but each institute works with different systems. That’s why it’s good that we’re working together so that we don’t all have to reinvent the wheel. Working on this jointly and creating uniformity is something the GDPR lends itself to perfectly. The nine NWO Institutes and NWO-I office each have their own challenges in the GDPR. NSCR, for example, works with criminal investigation data, which is very privacy-sensitive. It requires quite a different approach to the one at the mathematical institute CWI’, according to Cora.
Awareness campaign
‘Now that many of the processes have been set up, the next step is to make NWO-I employees aware of the GDPR procedure(s). And particularly to ensure that it starts to interest people and that they get to know the processes. Otherwise a document will just remain a piece of paper. We are currently busy setting up an awareness campaign for employees: why and how to keep personal data safe way and store documents. We would like to place the GDPR on the agenda that way by making it both fun and interesting and create awareness. GDPR will also regularly feature on the agenda of departmental meetings.’
Hack
NWO fell victim to a hack in February this year. A group of cybercriminals known as DoppelPaymer gained access to the NWO network and personnel data by means of ransomware. It also had an impact on Cora and all the privacy coordinators. ‘Although the hack was terrible, it had the benefit of making employees even more aware of their own privacy and the fact that it isn’t just something that happens to other people. The NWO office immediately set up a Data Leak Response Team, comprising the head of NWO-I Communications, Arian Visser, the head of P&O, Liz Schilt, the lawyer Laurens Abbink Spaink, and the institute managers, Angeniet Gillissen (NSCR) and Marjan Fretz (ARCNL), and me. It took a lot of effort to steer things in the right direction, inform employees and former employees and brief them on what they needed to do. Obviously, any organisation can be confronted by a ransomware attack like this but it’s taught us that we need to look at processes more critically. And, as NWO and NWO-I, we want to make efforts to ensure that much less information can be found, that the information is better protected against an attack of this nature and that employees are more aware.’
The GDPR is never finished
‘I’ll definitely still be working for NWO-I until the end of the year. In the meantime, the organisation is looking for someone to take on my role permanently’, Cora says as she begins to anticipate the future. ‘We’ve really achieved some good things, but there’s still a lot to do. The GDPR is never finished. You are never 100% compliant, because there are always new projects and processes which require attention to remain GDPR-compliant. For example, the GDPR invariably has to become part of new projects which are started up in the organisation, such as a Central HR system for NWO-I in its entirety. The GDPR guidelines will have to be included from the start of the project- a process that is also called privacy by design. At a certain moment you can say that you’re in control as an organisation and that you can demonstrate what has been arranged and put in place. We’re now a lot further ahead than when I started at NWO-I. The first GDPR audit (a check to test how NWO-I stands as regards GDPR) which is due next year will be an excellent opportunity to assess our achievements.’
Text: Melissa Vianen
Newsletter Inside NWO-I, September 2021