Just a couple of months ago, Aleid Wolfsen assumed a new role as the chairman of the Dutch Data Protection Authority. He replaced Jacob Kohnstamm, who'd held the position for 12 years before he moved on. As most newcomers to the privacy profession would probably tell you, learning the nuances and intricacies of data protection and privacy can be a daunting task, even under normal circumstances. But Wolfsen comes to his role at a particularly dizzying time, with Europe's General Data Protection Regulation coming into force, and companies, governments and regulators alike preparing for the new regime and the changes that are already ushering in.
"My main task is the proper implementation, the right implementation of the regulation and the new directive," he said.
Wolfsen, whose gentle smile can be deciphered even as he speaks over the phone, is a lawyer. His background includes stints as the mayor of Utrecht, a city in the Netherlands, as well as judge and vice president of district courts in Amsterdam. In his role of mayor, he was a member of the Netherlands DPA's advisory board. Given that experience, he's somewhat familiar with the kinds of issues he'll now face as chairman. And he's pleased to have retained the office's deputy chair, who's been in office for about five years and is a source of institutional memory, Wilbert Tomesen.
But beyond learning a new job, including the applicable laws and regulations he'll be charged with enforcing, Wolfsen is also now charged with positioning his office in accordance with the GDPR, which places additional responsibilities on DPAs' offices, including the establishment of information-sharing portals for international investigation collaborations, as well as complaint-handling systems. Such tasks aren't light administrative lifts. Especially because the Dutch DPA didn't previously investigate individual complaints. It handled registered data processors, initiated investigations where deemed necessary, issued fines if subsequently necessary, and otherwise largely served as an advisor to the government.
"There are some [DPA] offices in Europe who already have to deal with complaints, we don't," Wolfsen said. "So we have to implement this process to deal with complaints in a proper way. We are now in a process together with the Ministry of Justice to judge and discover what the new tasks and roles are for Dutch DPA — DPAs in general, but especially the Dutch DPA. We're now in the stage of discovering all the new responsibilities."
The major considerations in designing such a system are, "How can you design a process that gets proper information to people," as well as what the intake process looks like and how an investigation will be started based on one complaint from another. "How to decide on these kinds of issues. That's new for us."
His staff, currently hovering around 80 total employees, will likely need to increase.
Wolfsen said thanks to the GDPR's long negotiation period, his office is quite familiar with what has revealed itself as the final regulation. But there's still communication to be done with the greater public.
"How to get the proper information to the business people," he said. "That's huge."
Wolfsen's been enjoying the process of collaborating with his international peers, and he described the group as a "rich variety" of DPAs and chairs.
"For me, it's very fruitful and profitable," he said. "It's an open process, they are very open."
However, given that changes forthcoming once the GDPR comes into force in less than two year's time, that could start to shift, as could where he's spending his time. While he's been mostly close to home in the Netherlands, he expects to be in Brussels much more often once the regulation is in force given that he'll now be a part of the European Data Protection Board, which replaces the former Article 29 Working Party.
And that's where the relationships with other DPAs could shift, "because we are, let's say, only an advisory group. In May 2018, we start as an official board with voting procedures, including deciding who's going to be the lead DPA for companies. I think maybe our relationship will change a little bit, will become more formal," Wolfsen said.
Despite there being much to do and learn, Wolfsen takes an optimistic approach. He's learning fast, he said, aided by last month's commissioners conference in Marrakesh, which was an intensive of sorts for him. And he feels armored with a strong and knowledgeable staff.
"I'm sure together with my colleagues and all the employees here and so many in Europe, we're all dealing with the same questions. I'm sure we will manage it," he said. "But it's not an easy process."
If you want to comment on this post, you need to login.