Privacy & DPO team strengthened for top-10 hospital

Following an enforcement decision by the Dutch Data Protection Authority regarding the sharing of patient data with a research partner, the hospital had to expand its privacy team within 3 months with a Data Protection Officer, a senior privacy officer and a privacy engineer. The existing team of 2 people could no longer handle the workload: 340 processing activities, 85 DPIAs in the pipeline, and a growing number of data breach notifications.

The healthcare sector places unique demands on privacy professionals. They must not only know GDPR, but also Dutch healthcare-specific legislation (Wgbo, Wbp-Z) and the NEN 7510 framework. Candidates with this combination of legal and healthcare-specific knowledge are extremely scarce — there are an estimated fewer than 200 professionals with this profile in the Netherlands.

MVPeople Group combined MVProfessionals (secondment) for the DPO and senior privacy officer — roles requiring immediate deployment — with MVPermanent (recruitment & selection) for the privacy engineer, a role for which the hospital sought a permanent employee. We activated our specific network of healthcare privacy professionals, built through 3 years of recruitment in the healthcare sector.

For the DPO role, we selected a candidate with 8 years of experience in academic hospitals, including experience setting up a privacy-by-design framework for EHR systems (HiX/Epic). The senior privacy officer had demonstrable experience with DPIAs in a clinical research environment. The privacy engineer had a technical background in data masking and pseudonymisation of medical datasets — crucial for the hospital's research collaborations.