Udo Oelen is the Chief Privacy Officer for the Dutch railway company Nederlandse Spoorwegen (NS), as well as their Data Protection Officer as of March 2018. From 2012 until early 2018, Udo supervised the private sector at the Autoriteit Persoonsgegevens ("AP", the Dutch data protection authority).

The NS thought long and hard about privacy and compliance, well before the May deadline. Past challenges, like with the ‘Limburg contract’ (article in Dutch), received a lot of heat in the media, making compliance top priority.

NS privacy officers lead the compliance efforts of the various department units. Udo’s team has a direct line with the board of directors, underlining the value NS assigns to compliance. “The GDPR definitely is a topic of much discussion within the organisation, the NS needs to get it right.”

Could you please elaborate on your role as Chief Privacy Officer at the NS? What challenges do you typically deal with?

“Privacy officers are involved in innovation projects from the very beginning. To prevent anxiety from putting a damper on product development. We’re dealing with a vast amount of data. 1,2 million travelers a day, cameras on almost every station, the ‘OV-fiets’ (rental bicycle), the OV chip cards (national public transit card), the body cams that were recently distributed to 700 members of the safety personnel, and more.”

There are plenty initiatives that use this data to optimize transit. The Dutch railway system is one of the busiest in the world, and during rush hour it can be hard to find a seat. One initiative to solve this problem is the ‘Zitplaatszoeker’ pilot, which uses weight sensors to identify which wagon might still have seating available. “Customer satisfaction is largely defined by the availability of a seat.”

Traveler
Photo by Serhat Beyazkaya on Unsplash

Judging by the number of requests that reach the privacy officers' inboxes. Udo says, we hear you loud and clear. The NS initiated a number of efforts to ensure that data protection becomes an integral part of its company culture. The NS made e-learning exercises mandatory and sent tons of educational newsletters and magazines to everyone within the organisation. “They know where to find us,” says Udo.

Besides the privacy officers, all lawyers, the NS counts between 40 and 50 ‘privacy champions’. They function as an extended team, eyes and ears open at all times, watching out for privacy issues. “If one person has a question, then most likely there are more people with that same question. The GDPR is ingrained in the NS's company culture. We didn’t get where we are today with a half-baked approach.” An example of a scenario where an NS employee might feel unsure about the best way to proceed is a conductor collecting a person’s details when the traveller has been using public transport without a valid ticket. In order to protect the individual’s privacy, personnel are advised to take the conversation to a quieter part of the train. “Another example is duty rosters listing leaves of absence. Who has access to these lists, and should they be public in the first place?”

Were you personally involved in the NS’ compliance efforts or was a lot taken care of already before you joined in March?

“The AVG (GDPR) program had been running since the summer of 2017, and is largely based upon the analysis of an external firm. The items they identified as needing improvement were broken up in work units small enough to work on. One of those work units for instance was the identification and auditing of the 3rd party processors (in a Data Processing Register).”

This very thorough introspection was already approaching completion when Oelen joined the NS in March. At the moment of this interview (August 2018), Udo says they’re putting the last checks in place before responsibility for those units are handed back to the various departments.

Is there anything unique to the NS compliance process that you could share? What’s the NS’ data protection mission?

“The NS defined four axii (‘vertrekpunten’) along which we measure our actions. We aim to be ‘Transparent’, explaining clearly how and to what end we collect data. We want to make sure you’re ‘Safe with NS’, securing your data properly and only using it for our services. Following the ‘Choice and control’ pillar, you decide whether we can use your data for additional NS services. And following ‘Innovative and open’, we will always try to find new ways to enhance your privacy and we are open to feedback.”

It’s an opportunity to really look at your business and use compliance as a success factor.
— Udo Oelen

Could you tell me a bit about your time with the AP? Where you involved with the creation of the new regulation? Are you satisfied with its scope? Compared to the DPD - the Data Protection Directive was a European Union directive adopted in 1995 - what do you consider the main advantages of the GDPR?

The chairman of the AP was directly involved with the Article 29 Working Party, which is an EU-level advisory body made up of representatives from across the EU. Udo wasn’t actively lobbying but nevertheless involved with its progress. The resulting law is much to Udo’s liking. “It’s a real step forward, a one-stop-shop for international discourse.The DPD as a guideline was interpreted and enforced differently from region to region. It didn’t live up to its intended effect of safeguarding European citizens. Under the GDPR however, accountability principles are well warranted. And Data Portability as one of the pillars carries a lot of weight. The GDPR isn’t that different from the DPD conceptually, except for the latter being a guideline, rather than a law. Judging from the widespread panic, fines are what’s needed to have companies pay attention.”

bruno-van-der-kraan-558806-unsplash
Photo by Bruno van der Kraan on Unsplash

There’s been a lot of scaremongering around the regulation. I always assumed one should think more in terms of the spirit of the law, instead of the letter of the law. Fees will be proportional and a last resort. Would you agree?

“An auditor could tell you you didn’t strictly take all measures you could have to guarantee compliance. When you have a sound explanation for implementing a thing in a certain way, at most the authorities will advise you to change your approach. I don’t think a company will be fined unless they purposely didn’t take measures to be compliant, when they didn’t appoint a Data Protection Officer, or otherwise ignored what common sense would have told you to implement."

Judging from the widespread panic, fines are what’s needed to have people pay attention.
— Udo Oelen

"It’s important that you’re able to show that you’ve made an effort, that you put sufficient thought into your compliance process.

The scaremongering is in large part fueled by external firms looking to make a buck, but I know the Dutch authorities view fines as a last resort. Although it might aid awareness if they were to audit regularly and fine proportionally and justly.”

The data protection authority in the Netherlands (AP) doesn't seem to be in a particular hurry to audit businesses. Why is that, you reckon?

“The AP takes on many roles. One role entails advising companies on the regulation. They offer a 24/7 hotline, which I’m sure is being used extensively. I assumed the AP already checked that companies appointed a DPO and keep a Data Processing Register. The AP is collecting complaints from data subjects and already alerted companies potentially at fault to better their ways.

Understandably, the AP isn’t transparent about the companies it’s keeping an eye on. If word gets out about your company being audited and it turns out you are compliant, the bad PR might already have damaged your reputation in an irreversible manner.”

Now that the deadline has passed, how many companies in your opinion are inclined to stay compliant and to regularly audit themselves? Or will (high profile) warnings and fines trigger waves of self-auditing?

“I’ve heard vastly different stories about the compliance process (and status) in the Dutch SME and enterprise spaces. I’d think it’s not too complicated as long as collecting personal data isn’t your core business. But I bet there are also a lot of companies that haven’t done much yet.

I really like the way the AP looks at things. They frame it as an opportunity to take a fresh look at your business and your processes and use compliance as a success factor.”

A challenge Udo foresees is keeping that sense of urgency with each month passing. Internally they will continue pushing the topic to ensure continued buy-in at every level of the organisation.