In this article we want to spotlight a data protection officer based on 10 questions they were asked by DPI. Hannah Maton Deputy DPO City of Ghent,, former student and current “Stay Tuner” at DPI, is happy to answer them.
How did you end up in the role of DPO?
June last year I obtained my master’s degree in law. During my studies I already took an elective on data protection and it soon became clear that I had found my passion and wanted to continue working with it. When I started as deputy DPO at the City of Ghent in September, I was asked to follow the five-day training at DPI and I obtained the certificate of Data Protection Officer.
Which part of the tasks of a DPO do you prefer?
I am happy to answer questions for advice. As a DPO you are presented with new issues and cases every day. Analyzing and solving these makes the job interesting. Moreover, many colleagues have the idea that the GDPR makes their activities and projects more difficult. I find it very valuable to teach them the importance of the GDPR and to look for a solution together that works for everyone.
Which event in the privacy landscape has affected you the most to date?
I find ransomware attacks on hospitals really incomprehensible.
How would you describe the role of DPO in your company?
The GDPR is often seen as somewhat restrictive, but more and more colleagues are finding their way to our DPO team. I therefore always try to be accessible, to think along about solutions and to teach my colleagues that the GDPR also allows a lot, provided that the necessary safeguards are implemented.
What do you think is the biggest challenge for a DPO?
Raising awareness about data protection at all levels. It is no simple task to teach everyone the importance of the GDPR and to provide tailor-made training.
Which technological evolution do you think has the most impact on data protection (positive/negative)?
The concept of personal data vaults, where citizens can choose for themselves which data they share with which organizations and for what period, seems very promising to me.
What are your experiences in the contact between the DPO and the data subject/supervisor?
We notice that more and more citizens are invoking their rights under the GDPR. Contact with data subjects therefore mainly consists of answering e-mails from citizens about the exercise of these rights. As far as autorities are concerned, I have been in contact with the VTC (the Flemish data protection authority) for informal advice on the use of the public cloud, where they have pragmatically thought along with us and provided valuable points for attention.
What is your golden tip for getting data protection and information security higher on management’s agenda?
I think we should explain enough that protecting citizens’ personal data is part of good service to citizens and taking care of citizens. I also cannot deny that the cyber attack at the City of Antwerp helped to raise management awareness.
What is your Swiss army knife as a DPO?
I always try to explain the why sufficiently: why certain things are not possible and others are, why something is better handled in a different way, why certain extra measures are necessary, etc. It is not always easy to reconcile the legislation with the questions from colleagues, but I always try to think along with them and provide sufficient explanation.
How do you keep up with new trends in GDPR technology and legislation?
The DPI Stay Tuned sessions are of course an excellent way to stay informed of the most important statements and evolutions within the privacy landscape and to exchange ideas with other DPOs. I also like to listen to Dasprive’s podcast, occasionally follow a webinar and view the rulings and advice on the website of the regulators.