Romero Pastrana, F. (Francisco)
Francisco is a specialist in personal data protection, with professional certifications on European data protection law (CIPP/E), privacy management (CIPM) and privacy in IT (CIPT). Since 2020, he has been the Privacy Officer of the Geosciences Faculty at Utrecht University
Sessie
At the start of my appointment as Privacy Officer of the Geo Faculty at Utrecht University in May 2020, I was faced with the usual challenges: Maintaining a processing register, handling DPIAs, give advice on what is and is not allowed, etc. While the goals and principles were clear, I was spending too much time and effort acquiring processing knowledge and transcribing this into compliance documentation. I needed to find a better way to manage all of it in a more efficient, timely, and scalable way.
The Privacy Scan framework was then born out of that necessity. Initially started as a way to collect and document relevant details of an activity to determine if a DPIA was needed. The Privacy Scan is now a scalable, DPIA-like description and assessment of processing activities. It is now the cornerstone for the management of privacy compliance at the faculty, allowing us to efficiently comply with GDPR Art 24, 25, 30 and 35. From a few dozens Privacy Scans in 2021 and 2022, now around a hundred privacy scans are conducted in average every year by our faculty members, completed and approved within a couple of weeks in average, on a broad range of research, education, and business-related processing activities.
In this workshop, I will describe how the privacy scan framework works in practice, including research and education-related examples of processing activities which are often challenging to demonstrate compliance: for example, when there is an imbalance of power, or it is not possible to obtain consent, where of other legal basis beyond consent are likely more suitable.
Workshop participants are encouraged to bring their own challenging cases to be included in the discussion.