The Dutch Data Protection Authority (“DPA”) has announced that for the next few years it will enhance its focus on the following areas: (I) digital government, (II) trade in data, and (III) artificial intelligence and algorithms. Within these focus areas, the DPA will direct its resources to those issues that carry the most risk for citizens. These include, for example, the large-scale processing of personal data for commercial purposes and purposes involving the processing of sensitive personal data. In this blog we address the designated areas and explore the impact this focus may have on your organisation.
Focus areas
Digital government
Over the next few years, the DPA will focus on supervising the digital government. Many public sector bodies, including implementing authorities, the police and the judiciary, have large volumes of sensitive personal data at their disposal. The key areas to which the DPA will shift its focus are:
- Data security
- Smart cities
- Inter-institutional linkage / non-compliant data sharing practices
- Elections and microtargeting
Trade in data
This is the DPA's second focus area. The key areas to which the DPA will direct its resources are:
- Data minimisation
- The Internet of Things
- Profiling
- Behavioural advertising
Artificial Intelligence and algorithms
According to the DPA, there are risks associated with the deployment of AI and algorithms. Companies and public bodies use AI to “nudge” and profile people, the DPA argues. As both private and public parties use AI systems and algorithms and as this has prompted society to raise numerous questions, the DPA has chosen to direct special attention to these issues and make them into a separate focus area.
Risk-driven supervision
The DPA will for the next few years target methods of processing personal data that carry substantial risks for citizens. This will be a major theme for the DPA. In investigating these methods and the organisations implementing them, the DPA will consider the volume of data processed and the sensitivity of the data.
In addition to investigations in response to complaints, tips and data leakage notifications, the DPA will also launch investigations on the back of its own ongoing risk and trend analyses.
Impact on organisations
The DPA has set an agenda that paints, in broad strokes, the organisation's key focus areas for the coming years. The broad formulation of each focus area makes it difficult to pinpoint which organisations should allocate extra resources to privacy compliance. This applies all the more as the DPA has announced to investigate complaints and data leakage reports as well.
We would advise those organisations whose activities fall within the definitions of the focus areas to ensure that their privacy documentation, and their security measures, are up to scratch. Another recommendation is that they encourage awareness among their staff. Obviously, they are well advised to process and share personal data only if there are lawful grounds, or in the case of sensitive data, grounds for exception for doing so. Lastly, we wish to point out the importance of performing Privacy Impact Assessments (“PIAs”) before processing data likely to carry a high risk to the privacy of the data subjects. It is definitely essential that a PIA is performed when it comes to processing personal data using AI systems.
The Dutch Data Protection Authority (“DPA”) has announced that for the next few years it will enhance its focus on the following areas: (I) digital government, (II) trade in data, and (III) artificial intelligence and algorithms. Within these focus areas, the DPA will direct its resources to those issues that carry the most risk for citizens. These include, for example, the large-scale processing of personal data for commercial purposes and purposes involving the processing of sensitive personal data. In this blog we address the designated areas and explore the impact this focus may have on your organisation.
Focus areas
Digital government
Over the next few years, the DPA will focus on supervising the digital government. Many public sector bodies, including implementing authorities, the police and the judiciary, have large volumes of sensitive personal data at their disposal. The key areas to which the DPA will shift its focus are:
- Data security
- Smart cities
- Inter-institutional linkage / non-compliant data sharing practices
- Elections and microtargeting
Trade in data
This is the DPA's second focus area. The key areas to which the DPA will direct its resources are:
- Data minimisation
- The Internet of Things
- Profiling
- Behavioural advertising
Artificial Intelligence and algorithms
According to the DPA, there are risks associated with the deployment of AI and algorithms. Companies and public bodies use AI to “nudge” and profile people, the DPA argues. As both private and public parties use AI systems and algorithms and as this has prompted society to raise numerous questions, the DPA has chosen to direct special attention to these issues and make them into a separate focus area.
Risk-driven supervision
The DPA will for the next few years target methods of processing personal data that carry substantial risks for citizens. This will be a major theme for the DPA. In investigating these methods and the organisations implementing them, the DPA will consider the volume of data processed and the sensitivity of the data.
In addition to investigations in response to complaints, tips and data leakage notifications, the DPA will also launch investigations on the back of its own ongoing risk and trend analyses.
Impact on organisations
The DPA has set an agenda that paints, in broad strokes, the organisation's key focus areas for the coming years. The broad formulation of each focus area makes it difficult to pinpoint which organisations should allocate extra resources to privacy compliance. This applies all the more as the DPA has announced to investigate complaints and data leakage reports as well.
We would advise those organisations whose activities fall within the definitions of the focus areas to ensure that their privacy documentation, and their security measures, are up to scratch. Another recommendation is that they encourage awareness among their staff. Obviously, they are well advised to process and share personal data only if there are lawful grounds, or in the case of sensitive data, grounds for exception for doing so. Lastly, we wish to point out the importance of performing Privacy Impact Assessments (“PIAs”) before processing data likely to carry a high risk to the privacy of the data subjects. It is definitely essential that a PIA is performed when it comes to processing personal data using AI systems.