Helma de Boer works as ROC Deltion College's Privacy Officer, since May 2018. As such she informs management on how best to deal with information and infotech. Since 2004 Helma runs Artheos, teaching privacy awareness, and digital rights & literacy. She frequently contributed articles to Bits of Freedom, the Dutch non-profit organisation fighting for ‘internet freedom’.

Helma translated Silkie Carlo's and Arjen Kamphuis' book Infosec for journalists into Dutch. She followed the Data Protection Officer (DPO) course at the HAN in Arnhem and published the booklet Persoonlijke informatiebeveiliging (Personal Data Security), together with the aforementioned author Kamphuis. Most recently she wrote 'Digitale privacy/AVG voor de werknemer - een praktische handleiding', a GDPR manual for the regular employee.

Could you tell me more about what the DPA course at the HAN entails?
At the moment the DPA course at the HAN actually consists of two courses. The first course ('foundation') specifically focusses on the content, intent and interpretation of the GDPR, the role and responsibilities of a DPO and information security, both technical and organisational. Other topics include internet architecture and ISMS (Information Security Management System).

The second course ('practitioner') is hands-on, and covers privacy management, team building, risk management, BiSL (Business Information Services Library) and security frameworks. In addition a student has to write a plan for an organisation to achieve compliance.

Are you involved in a alumni network / do you get value out of connecting with fellow alumni?
The groups are small at the HAN, so there is a lot of contact, including feedback during the course. After the courses you will have a network that covers everyone involved, students as well as (guest) lecturers.

Could you please elaborate on your role as Privacy Officer at the ROC Deltion College? What challenges do you typically deal with?
As Privacy Officer I inform and advise the management about how the organisation can make the best use of information and information systems (related to personal data). I am responsible for the privacy policy and data protection of both students and employees. In this role I work together with the Security Officer, Information Manager, and Policy Officer of Automation to keep a safe architectural information landscape and I see to implementing privacy by default and privacy by design. I am responsible for the awareness training of my collegues and for the management of data breaches that involve personal data.

Deltion is a complex organisation with over 17,000 students and around 1,100 employees; in that lies the main challenge. Employees are not familiair with the way everything that has to do with information and automation is neatly filed in an Information Technology Intelligence Library (ITIL) to keep everything working, nor would they necessarily realise, left to their own devices that they need to involve someone to push for privacy by default or privacy by design.

Another challenge is establishing a conclusive, shared interpretation about proper measures.

Something else I would like to mention as a challenge: the widespread misunderstanding or misinterpretation of the GDPR in the how-to blogs. I rely heavily on the key experts and always consult their point of view whenever there is a disagreement. Communication is key to everything.

What are some of the unique challenges with data privacy at the Deltion College? Were you personally involved with Deltion’s College compliance efforts or was a lot taken care of already before you joined in May?
First I'd like to say that compliance is an ongoing thing. Fortunately I am not the first privacy officer of Deltion. A lot has been done, as we had the Wbp (DPD) before the GDPR. However, for example: the privacy policy and the protocol around the choice and implementation of new software needed to be updated.

Deltion works together with other ROC's in the saMBO-ICT group and this helps a lot to ensure continued growth toward a satisfactory level of maturity on all levels. I found that people usually do not recognise the relation between privacy and automation, although they realise personal data is stored in digital environments.

Establishing a conclusive, shared interpretation about proper measures is a real challenge.

A particular unique challenge with data privacy at an education institute, is that you are dealing with detailed information about students mostly under the age of 18. And, as you probably know, the most common data breach is an email sent to the wrong recipients; in my situation, for example: sensitive information about one student could accidently be shared with a whole class. The impact could be severe.

Are you satisfied with the GDPR’s scope?
I am. Even more so, now that I know a new privacy directive for e-Privacy is about to become active. I am not only a privacy officer for an organisation, I am also a privacy activist for individuals. So to me, privacy is more than good organisational practice; it also means to actually have more control over your own privacy online (think: data brokers). Informative cookie policies are a direct and wonderful result of the GDPR requiring consent to collect data for commercial purposes.

Compared to the DPD, what do you consider the main advantages of the GDPR?
To me there are two main advantages of the GDPR. The first one is the enormous increase in awareness: organisations (people) in our society overall take greater responsibility in handling personal data carefully. In my experience every organisation, from freelancer to big scale companies; they all treat this topic with greater care and budget. There is much more awareness that digital data should be handled with care, the willingness to act is a great result.

The second advantage is that individuals are given more tools to guarantee their new rights (specifically with respect to data brokers). This also amounts to more awareness.

There’s been a lot of scaremongering around the regulation. I always assumed fees will be proportional and a last resort. Would you agree?
Absolutely. The first thing I always say at GDPR-sessions, that it is not about fees. It is about handling personal data with respect. Everyone wants their private information to be in good hands, right? In addition, the letter of the law is only printed in black and white, but life is never actually black and white (why else would we need lawyers). In my opinion there is only the spirit of the law. But that is merely my insight.

On the other hand, I look forward to the outcome of lawsuits against, for example: tech companies, the data marketing driven companies that will always want to cross that grey line of the GDPR in favour of their profits. So, fees could be important nevertheless.

When consulting other companies trying to make sense of the GDPR, do you apply a mental framework for privacy topics of sorts?
Yes, in a sense. I break down the GDPR in four blocks: management, personnel, IT, individuals. In this way it is quite clear that the foundation is IT, but it can not operate without the directive and budget of the management. GDPR compliancy goes top-down. Personnel and individuals merely need to be provided their tools.

The Data Protection Authorities don't seem to be in a particular hurry to audit businesses. Why is that, you reckon?
I'm not sure they aren't in fact in a hurry. However, they can only go as far as their budget takes them. We are all late in realising the GDPR would come into effect, businesses and politics alike.

I look forward to the outcome of lawsuits against the data marketing driven companies that will always act in favour of their profits.

What is your opinion on companies shutting down their European business or restricting European visitors from visiting their publications?
That is the best indication that our internet is actually broken (like Marleen Stikker pointed out in Zomergasten). It is ridiculous for a variaty of reasons and those all involve money. Luckily, there is something called a VPN.

Now that the deadline has passed, how many companies in your opinion are inclined to stay compliant and to regularly audit themselves? Or will (high profile) warnings and fines trigger waves of self-auditing?
Compare it to driving a car: there is this law that tells you what you may and may not do. This law will not go away. The Data Protection Authorities will not go away. I believe that even without active enforcement and control, organisations will work to be as compliant as possible. Their employees will want them to. The protection of privacy is definitely on society's agenda.

Could you elaborate on what you expect from the new cookie law?
The new ePrivacy directive will be a pain in the ass of the data brokers, that is for sure. The big players are probably working on a backdoor as we speak. They want your data nevertheless. For free. In any case, in a lot of situations the ePrivacy directive will give individuals the opportunity to choose to have more privacy online (by being made aware what is actually going on). A choice they did not have before.