Q&A: how do you cast the GDPR into your own mould? In conversation with the Dutch Data Protection Authority

What happens to personal data when it comes into the hands of organizations? It is up to labs to provide a well-thought-out answer to this. At least that's what the General Data Protection Regulation tells us. That is precisely where the crux lies. Because are the choices you have made the right ones? The Dutch Data Protection Authority is happy to provide clarity. A Q&A with Sofie van der Meulen, Senior Supervision Officer.

To start at the beginning: what makes it so difficult for organizations to implement the GDPR?

“The GDPR has many open standards. The framework has been drawn out, but it offers quite a bit of room to further color this within your own specific situation, working method and according to your own preferences. For example, the legislation states that there must be a processing register, but what exactly that looks like is up to your own interpretation. While one person provides insight into collected and processed personal data with data management software, the other uses an Excel sheet.”

Is one better than the other?

“One organization is not the same as the other. Processes, systems and methods of data collection differ. There are companies with 3,000 employees and small organizations with three employees. For those reasons, everyone casts the GDPR in their own mold. What works well for one person does not necessarily have to be the solution for another.”

Are there any more reasons why the GDPR remains difficult for organizations?

“When the GDPR came into effect, a lot of attention was paid to fines. As a result, the idea prevails that you will be immediately punished if you do not comply with the legislation. I would like to dispel the misconception. If you are reprimanded, this is normally not immediately a fine. This is preceded by discussions and opportunities for improvement. If we impose a fine, then something is really going on. For example, if the mistakes made are disproportionate.” Want to know more about the basics of the GDPR?

• Discover the meaning of basic terms on the Dutch Data Protection Authority website.
• Find more information on the European Data Protection Board website.
• Read legal blogs.

How can organizations see the GDPR less as something 'intangible'?

“How do you eat an elephant? Step by step. You don't have to have everything perfectly arranged right away. What matters is that you are concerned with privacy and data processing. Start somewhere and don't let the space for your own solutions become an obstacle.”

And how do they make privacy legislation their own?

Accountability: everyone in the organization must actually feel responsible for good data protection and implement processes to achieve this.

Do you have a concrete example of how to do that?

Consider creating awareness within the organization. For example, with annual training in which everyone has the agreed rules memorized. Or test employees with a phishing email and see what happens. Is someone going wrong? Then that doesn't say anything bad about the employee. Apparently more training or other ways to create awareness are needed. Then get to work on it.”

Watch Sofie van der Meulen's webinar below in which she will teach you everything about accountability and get a grip on (personal) data and good data management.

What should laboratories be extra vigilant about?

“Lab automation involves new systems and software packages. Know which suppliers you are working with. Just because something is 'convenient' does not mean it is safe. So be critical and make clear agreements. For example, record annual audits in the supplier contract where an external party checks privacy.”