DPO in the spotlight: Frieke Verniest

In this article we want to spotlight a data protection officer based on 10 questions they were asked by DPI.

Frieke Verniest , Data Protection Officer  at AZ Sint-Jan in Bruges , is this months DPO.

How did you end up in the role of DPO? 

Frieke: In 2016, I started as a staff officer in the ICT department at AZ Sint-Jan. The former information security consultant had just retired. I was asked if I was interested in anything to do with privacy and security. A training course quickly followed, very quickly followed by many information sessions on the upcoming GDPR, networking moments with colleagues from other hospitals and we started a process to get the hospital as ready as possible when the AVG came into force.  

This included the official appointment of a DPO. This gave me a new interpretation of my role in the hospital. To this day I have no regrets about that, on the contrary. 

Which part of the tasks of a DPO do you prefer? 

Frieke: I get the most satisfaction from contacts with the various departments and stakeholders in the hospital. The role of DPO ensures that I may and must gain knowledge of all processes and functions in the hospital. 

I still enjoy setting up and giving awareness sessions the most. Turning dry subject matter into a recognizable story with the aim of conveying something that sticks with colleagues who are in the field, that’s where I get satisfaction. 

Which event in the privacy landscape has affected you the most to date? 

Frieke: The cyberattack and thus the major data breach at Limburg.net made me frown. That a data leak with such a large impact is possible is no secret to anyone. What did make me frown was the apparent calm and resignation among the victims. Few involved seem to be very concerned about their data being on the street. Very few see any danger in certain information being shared or leaked. This indicates that we still have a long way to go in terms of awareness. 

I do see a nice positive evolution at VRT NWS, for example. Technology, privacy and security are getting more and more specific attention and appear as separate items in the news and in news programs. 

 How would you describe the role of DPO in your company? 

Frieke: The role of DPO within our hospital consists of rigorous advising, being accessible for any question, setting up awareness from top to bottom of the organization. As a DPO, I also try to think along where possible. 

What do you think is the biggest challenge for a DPO? 

Frieke: The ever-growing connection between privacy and technology. How can you, as a DPO, keep up with legislation and case law on the one hand and have sufficient up-to-date knowledge of technology and technical possibilities in terms of privacy and security on the other? 

Everything is becoming digital, everything has a security aspect and every project has a privacy section and a security section. AI is a great example of this. As a DPO, how much do you need to understand what is coming in-house and what is being used in-house? How should you as a DPO correctly oversee and advise without thwarting innovation? Is that the role of the DPO alone? 

Fortunately, in our organization we can count on a very close collaboration with the IT security team. We almost sit next to each other and consult weekly. We benefit from each other’s knowledge and passion about privacy and technology. 

 Which technological evolution do you think has the most impact on data protection (positive/negative)? 

Frieke: AI without a doubt. This sounds like kicking in an open door. AI is rushing at us. Where technology is starkly improving ease of use, there you see that people are more likely to give up their privacy. That’s perfectly understandable. I get a lot back, so why not give up some of my privacy?  

The impact on data protection here can be negative, although I don’t want to sound pessimistic here. Negative in terms of sharing personal data too easily to a black box that needs to be trained or that can give us a smart answer back. What guarantees are there here in terms of data protection? 

I also see a lot of projects emerging that are really committed to privacy and security by design. In the world of blockchain, some players are betting rock hard on privacy. I am eagerly waiting to see if they will make a go-ahead with a positive impact on data protection.  

Another positive story, is that of data vaults, such as the Solid project. Wondering if that will become a standard and how this evolves and if it will really be a true transformation as people suggest. 

What are your experiences in the contact between the DPO and the data subject/supervisor? 

Frieke: Contacts with stakeholders are often a positive story. People have questions and get answers or get a better understanding of what is possible, allowed and who ever accessed their file. Sometimes there is a less positive experience with a data subject, that can be if there was another negative experience before the question or complaint to the DPO.  

Often a lesser experience also comes from a lack of understanding. I have found that calling people and not limiting yourself to email can be a big help here. In 1 extreme case, we even once went up to a patient’s room to show together how to manage eHealth-level access to your file. 

Contact with the VTC is often positive. They are accessible if you have questions. If you report a data breach, you always get a response (with some delay). We’ll take the reprimand at that point. 

What is your golden tip for getting data protection and information security higher on management’s agenda? 

Frieke: A data breach or a cyber incident are the quickest way to get this on their agenda. No, we’re not going to wait for that and you don’t wish that on any organization.  

Facts, figures and an understandable story. Link the organization’s strategic goals with how privacy and cybersecurity can help with that. Make that tangible, show them figures on how easily we still fall for phishing emails. Make them aware of their responsibilities as outlined in the law (GDPR and NIS2).  

But the golden tip? Get to know your management and find out if they are sensitive to dry numbers or rather to a story of responsibilities or maybe they are very keen to get certified and compliancy is important? For every type of manager, there is certainly a way to make them understand that privacy and security are important. 

What is your Swiss army knife as a DPO? 

Frieke: An app with the legislation. That way I always have it handy. 

Colleagues and collaboration with colleagues from other hospitals. That is so important. Sharing knowledge, sharing frustrations, sharing tools and thinking together how to do things better. 

 How do you keep up with new trends in GDPR technology and legislation? 

Frieke: On the one hand through knowledge-sharing platforms and on the other through the Stay Tuned sessions that Data Protection Institute sets up. 

To skim the website of the GBA, EDPB and VTC myself sometimes lacks the time. So I am very grateful that these knowledge-sharing opportunities and Stay Tuned sessions are there.