In this article we want to spotlight a data protection officer based on 10 questions they were asked by DPI. Frank Mangelschots, DPO in several police zones, former student and current “Stay Tuner” at DPI, is happy to answer them.
How did you end up in the role of DPO?
I have been DPO of 7 East Flemish police zones for 3 years now. I was considered for this position when the former DPO was recruited at the Supervisory Body COC.
Since I am an operational police officer, I have the great advantage that I have already worked with all databases for 25 years and therefore know them inside out.
In my opinion, this is a huge advantage as a DPO, given that the concrete advice can be based on concrete knowledge.
After that I successfully followed the DPO training and the specialization DPO-Police at DP-Institute.
Which part of the tasks of a DPO do you prefer?
My preference is to increase awareness within the organization with regard to data protection.
As a DPO, I regularly provide training and educational sessions to make employees aware of their responsibilities in the field of data protection and to train them in the correct handling of personal data. For example, the training can be about the GDPR, Title 2, the obligations of the organization and employees, risks and how to limit them.
As a DPO, together with other departments, I help develop guidelines and policies for the processing of personal data and ensure that these are clear and understandable for all employees.
I try to ensure that employees are regularly informed about changes in the laws, regulations or the organization’s policy with regard to data protection. This can be done, for example, via newsletters, e-mails or other internal communication channels.
I organize awareness campaigns to make employees aware of specific data protection risks or threats, such as phishing attacks or data leaks. This can be done, for example, through posters, presentations or simulations.
By taking these and other measures, I can increase the awareness of data protection within the organization and ensure that all employees become aware of the importance of data protection and their role in this.
Which event in the privacy landscape has affected you the most to date?
The police receive daily reports of the elderly and vulnerable groups being scammed by phishing after an earlier theft of their data in a ransomware attack.
Often, these victims are left with a looted bank account where all their hard-earned savings have been stolen by attackers posing as a trusted party, such as a bank or a government agency, asking the victim to provide personal details or click on a link that leads to a malicious website.
The attacker may also try to convince the victim to transfer money to a fake bank account number.
Older people are often more vulnerable to phishing attacks because they are less familiar with the technology and less familiar with the ways attackers can target them. In addition, the elderly are often more likely to provide personal information and can sometimes be more easily persuaded to transfer money, especially if the attacker is posing as a trusted entity or if they are threatened with criminal prosecution.
It is therefore important to inform the elderly and other vulnerable groups about the risks of phishing attacks and to help them recognize suspicious e-mails, telephone calls and messages. It is also essential to ensure adequate security measures are in place to protect personal data and mitigate the risks of ransomware attacks.
How would you describe the role of DPO in your company?
The DPO is tasked with supervising compliance with the General Data Protection Regulation (GDPR) and other data protection laws and regulations. Title 2 is also extremely important within the police context, given that all processing within the judicial and administrative context falls within this.
Advising the organization on its data protection obligations and implementing appropriate measures to comply with these obligations.
Acting as a point of contact for the internal Data Protection Authority COC and data subjects.
Advising on Data Protection Impact Assessments (DPIAs) to identify and minimize data processing risks.
Monitoring compliance with the GDPR and other data protection laws and regulations, and conducting internal checks on the use and possible misuse of the police databases.
Collaborating with various departments within the organization, such as IT, HR and management, to ensure that data protection is integrated into the police business processes.
It is important that a DPO takes seriously and carefully performs all tasks within his or her area of responsibility to ensure that the organization complies with data protection laws and regulations and that the personal data of data subjects is handled in a secure and responsible manner.
What do you think is the biggest challenge for a DPO?
The biggest challenge for a DPO wit hus is to ensure that the police zone complies with the ever-changing legislation and to effectively protect the personal data of data subjects, while at the same time enabling the organization to achieve its operational policing objectives. This is especially difficult due to the increasing complexity of data processing and storage, as well as the proliferation of sophisticated threats such as ransomware and hacking. In addition, new technologies, such as artificial intelligence and the Internet of Things (IoT), bodycams, drones, ANPR cameras, can bring new challenges for the protection of personal data and the privacy of data subjects.
Another important challenge for a DPO is to ensure awareness of and compliance with privacy legislation among all employees within an organization. This requires good support from the policy and the chief of police as controller. This includes developing and implementing effective privacy policies and procedures, as well as providing training and education to employees at all levels. It is also important that a DPO works closely with the IT department and other relevant departments within the organization to ensure that privacy and security measures are effectively implemented and maintained.
Which technological evolution do you think has the most impact on data protection (positive/negative)?
Cloud computing has changed the way data is stored and processed. It offers benefits such as scalability, flexibility and cost savings, but it also poses data protection challenges. For example, it is important to ensure that data stored in the cloud is properly secured and appropriate measures are taken to prevent data loss.
The Internet of Things (IoT) refers to the ever-expanding networks of devices connected to the Internet. These devices continuously collect and exchange data, posing privacy and security risks. It is therefore important to ensure that these devices are properly secured and that data collection and processing takes place in accordance with privacy legislation.
Artificial intelligence (AI) is another technology that has a major impact on data protection. For example, the use of AI can lead to new ways of analyzing and processing data, but it can also lead to new privacy and security risks. It is therefore important to ensure that AI systems are properly secured and that the data they use complies with privacy legislation.
Biometric identification technologies, such as facial recognition and fingerprint scanners, are increasingly used for authentication and identification. However, these technologies collect sensitive personal data and it is therefore important to ensure that this data is properly protected and that the use of these technologies complies with privacy laws.
What are your experiences in the contact between the DPO and the data subject/supervisor?
The contacts between the Control Body for Police Information (COC) and myself are positive. It is important that the DPO is transparent and clear about how the personal data of the data subject is processed and how it is protected. The data subject has the right to request information about the processing of his or her personal data and the DPO is responsible for answering these questions.
For example, we receive many questions from citizens who would like to have their data deleted from the police databases. Together with the supervisor, we therefore proceed to the necessary rectifications within our databases.
In the past, I had several contacts with the supervisory authority when reporting and following up on data leaks. There is also a very strict follow-up from the supervisor.
It is important that the DPO builds a good relationship with those involved and supervisors, so that open and transparent communication can take place. This is essential for successful compliance with privacy legislation and safeguarding the privacy of data subjects.
What is your golden tip for getting data protection and information security higher on management’s agenda?
My golden tip for getting data protection and information security higher on management’s agenda is to emphasize that it is not only about complying with laws and regulations, but also about protecting the image of the Police and the relationships with the public.
After all, a data breach can not only lead to reputational damage, but also to the loss of very vulnerable and sensitive data of citizens.
In addition, it can be useful to make management aware of the costs of a data breach and its impact on business operations. This can be done, for example, by performing a risk analysis and drawing up a cost-benefit analysis, in which the potential costs of a data breach are compared to the costs of implementing adequate security measures.
Another way to move data protection and information security higher on management’s agenda is through awareness raising and employee training. By informing employees about the risks of cybercrime and the importance of information security, awareness can be increased and employees can be better involved in the protection of personal data and confidential information.
It is important to involve management in implementing security measures and reporting progress and results on a regular basis. This allows them to see the impact of their investments in data protection and information security and to further promote them.
I myself have an information security cell in every police zone. We therefore meet regularly to discuss the follow-up to the information security policy plan.
What is your Swiss army knife as a DPO?
One of the most important tools a DPO can use is a good privacy management system. This can help monitor data processing, manage data leaks, document processing activities, image registers, processing agreements, DPIAs.
This allows the DPO to quickly gain insight into the status of data protection within the organization and to quickly identify and address any risks and problems.
Another important tool is knowledge and expertise in the field of privacy legislation and cyber security. This includes not only knowledge of laws and regulations, but also knowledge of technical security measures and data protection best practices. This enables the DPO to provide proactive advice on the implementation of security measures and to identify and address risks in time.
It is important to have a reliable tool where information such as legislation can be found quickly and efficiently.
Finally, communication is a crucial tool for a DPO. It is important that the DPO can communicate effectively with various stakeholders, such as fellow DPOs, employees, management, stakeholders and supervisors.
By communicating clearly and transparently about the data processing and the measures taken, the DPO can gain the trust of all stakeholders and improve compliance with privacy legislation within the organization.
How do you keep up with new trends in GDPR technology and legislation?
I have subscribed to DPI’s Stay Tuned training where we can follow recent rulings and legislation to keep abreast of new trends and developments in GDPR technology and legislation.
I follow Dasprivé’s weekly podcast and am also connected to some relevant groups on Linked-In: There are several platforms that focus on privacy and data protection. By following these websites and blogs, you can quickly be informed of new developments and insights.
Conferences and events are regularly organized to discuss the latest developments in GDPR technology and legislation. By attending these events, you can not only stay abreast of new trends and developments, but also network with other privacy professionals.
Finally, a DPO can also consult experts and colleagues in the field of GDPR technology and legislation. These can be internal experts, such as IT specialists or legal advisers, or external consultants and specialists. By consulting these experts, you can quickly and effectively find answers to specific questions and problems.