Stefan Gerts is the Chief Privacy Officer (since 2018) and Manager Commercial Legal (since 2011) for PostNL (the Dutch postal service). Stefan studied Law, got his ISPL-certificate (Information Services Procurement Library) from EXIN in 2005, and specialized in IT Law thereafter.
What challenges do you typically deal with at PostNL? Were you personally involved in the company's compliance efforts or was a lot taken care of before you joined?
Since March this year I took the position of Chief Privacy Officer, as well as Data Protection Officer, at PostNL. Before that, I gained a lot of experience with IT and privacy related topics from my position as Manager Commercial Legal. As Chief Privacy Officer I am responsible for the Privacy Office within which the Privacy Officers support the organization with the GDPR and related questions.
As a result of our GDPR compliance implementation we have noticed that it is essential that all employees within the organization have sufficient awareness on this subject; it must become part of the mindset of people, and stay that way.
By means of guidelines, checklists, e-learning modules, and information sessions we try to facilitate the learning in the organization as optimally as possible. Recently, we are seeing that our efforts are paying off. Employees approach us proactively with all kinds of privacy-related issues.
When I started in March, a lot of work had been done already, but it turned out that there was a lot of demand within the organization for concrete deliverables (processing agreements, FAQs, guidelines, systems concerning processing and DPAs) and we still had to make a big push to see the GDPR compliance land properly within the organization. Among other things, through the introduction of privacy coordinators within the various organizational units, we have been able to do this quickly and adequately. The privacy coordinators, as an extension of the Privacy Office, keep in touch with the organization and quickly identify questions and problems.
The future will show that the extent to which organizations can demonstrate that they take privacy seriously will be important in weighing in possible sanctions.
Is there anything unique to the compliance process of PostNL that you could share? What’s your data protection mission?
I think that PostNL is unique in the sense that all employees within PostNL are also involved in this subject, from the parcel deliverer to the board. The privacy mission of PostNL is to reflect how the consumer sees PostNL; reliable, transparent and honest.
Are you satisfied with the GDPR’s scope? Compared to the DPD, what do you consider the main advantages of the GDPR?
I believe that the GDPR is definitely a step forward. Particularly because of the uniformity within the EU whereas the DPD knew local interpretations. The GDPR accountability has been made SMART, so that it is clear what organizations must comply with and how they must be able to demonstrate this.
Photo by Samuel Zeller on Unsplash
The hype of the GDPR was certainly used by certain parties to create fear within organizations. I am therefore almost certain that the future will show that the extent to which organizations can demonstrate that they take privacy seriously will be important in weighing possible sanctions, regardless of what's actually printed.
Now that the deadline has passed, how many companies in your opinion are inclined to stay compliant and to regularly audit themselves? Or will (high profile) warnings and fines trigger waves of self-auditing?
The first question here is: when are you compliant. In my view, compliance is a gradient where "100% compliant" will always be a snapshot since the organization and processes are constantly changing. In my opinion, internal audits are a good way to frequently determine the state of affairs and adjust where necessary. Obviously warnings and fines will make organizations even more aware of the risk, but this should not be the most important driver in my opinion.
What’s PostNL’s greatest challenge when it comes to staying compliant?
The biggest challenge is to keep the organization continuously aware of the subject and to obtain the required information from the organization on a regular basis.
Warnings and fines will make organizations even more aware of the risk, but this should not be the most important driver.
What fuels your enthusiasm for the topic of privacy and data protection?
Privacy is a topic that affects everyone and everything and will only become more important in the future. I believe privacy is a real business enabler and worth the challenge to embed this relatively new area of focus within an organization.
Could you elaborate on what you expect from the new cookie law?
I hope that the ePrivacy system will not lose sight of the practical applications and will take into account the different business models in this area. In short, make sure that it is clear to users what they do and do not give permission for companies to do; without having to give separate permission for each website. From my perspective you create a situation in which people almost automatically click on accept if you don't think this through.