In this column, we like to take a moment to highlight a Data Protection Officer based on some 10 questions DPI asks them. Liesbeth Aelterman, Data protection & Information security consultant at Spotit, alumnus and current Stay Tuner at DPI, is happy to answer them.
- How did you end up in the role of DPO?
I have a legal background through my education and was confronted with GDPR for the first time in my previous job. I found the GDPR legislation very interesting so I stuck to it and followed various courses. As I had more theoretical knowledge, I wanted to know how I could put this into practice.
I started at Spotit at the end of 2017 and gradually ended up in the DPO role.
To this day, I don’t regret it for a minute. It remains a subject that fascinates me very much and in which there is so much to experience.
- Which part of the tasks of a DPO do you prefer?
This is a tough choice. Brainstorming, advising and following up from the start of a new activity, I find it all very nice tasks. It ensures that theory and practice must be combined. In addition, we must follow up on the latest decisions and try to implement them each time.
- Which event in the privacy landscape has affected you the most to date?
I wouldn’t really use the word ‘affected’ here. However, in response to the new measure announced whereby a medical certificate for short absences will no longer be required, I read that an employee must indicate where he/she will be during the first day of incapacity for work (if this deviates from the official residence). In such cases I automatically think of the link with privacy and how companies will deal with this.
I expect that this will be reflected in a decision of the Privacy Autority in the future.
- How would you describe the role of DPO in your company?
In a single word: pragmatic.
As a DPO I try to think from multiple points of view. The theory is one thing, the practical use is another. With every advice I always try to think from a practical perspective: what is feasible, what is possible, what is not possible, if we do A, what will happen if we do B? An advice can be so clear and good, if it is not feasible in practice then it is of little use. At times this is of course difficult, if a certain processing activity is not possible or allowed, then one will of course have to accept it.
In my experience, a DPO will more often be involved from the start if a common solution can be found, rather than just sticking to the theory.
- What do you think is the biggest challenge for a DPO?
Ensuring that you are and remain involved in as many things as possible in the company, without being seen as a delaying factor.
- Which technological evolution do you think has the most impact on data protection (positive/negative)?
The emergence of various GRC tools, without specifically emphasizing one tool. In the beginning, when GDPR came into effect, many things were kept, for example, in Excel. Today it is possible to put everything in one tool, which makes it more efficient. You are able to forward questions via the tool, collect all information in one place and keep everything up to date.
- What are your experiences in the contact between DPO and data subject/supervisor?
I personally have little contact with the regulators in general. Yesterday I was at a privacy seminar where the chairman of the GBA came to present the new action points for 2023. This was certainly interesting, and was the first personal contact for me.
- What is your golden tip for getting data protection and information security higher on management’s agenda?
The most important thing is to be able to demonstrate the added value. You can do this by, among other things, focusing more on the financial benefit for the company.
Often management sees data protection and information security as a burden and a cost rather than an added value. By focusing on both subjects, you ensure that your company has a good basis for the future and the changing society.
- What is your Swiss army knife as a DPO?
My privacy knowledge in different domains and sectors. As a DPO, I have several clients in various sectors (eg. IT sector, transport sector, etc.). As a result, I have been able to build up extensive knowledge over the last 5 years. By not limiting myself to one sector, I notice that you will investigate certain things more often, in this way you learn every day.
- How do you keep abreast of new trends in GDPR technology and legislation?
I have been following the Stay Tuned as a DPO at DPInstitute for several years, very interesting courses that allow me to keep up with the latest new things in a short time.
I am also subscribed to various newsletters and if possible I try to be present at various privacy conferences/seminars.
Of course I am a loyal listener of the DasPrivé podcasts.