Make your municipality GDPR-compliant: 3 to dos

A large number of administrative actions ensue from the General Data Protection Regulation (in Dutch AVG, in English GDPR) your organisation is still resisting and time is running out. Organisations must bring their operations in line with the GDP before 25 May 2018.

You have undoubtedly already taken the necessary steps to improve data protection within your municipality. But perhaps this is not enough for compliance with the GDPR. How can you be sure that you are meeting all the requirements? Keeping an overview is important in this respect. In this blog we provide a clear picture of the steps you need to take in order to be ready for the new law.

Phased Plan


Start by putting together the right team. The ideal core team consists of a lawyer, a privacy expert and an IT professional. They involve the responsible managers and content specialists in each department.

1. Gaining insight

Map all data flows. As there can be a lot of these, it is sensible to start with the most important or most sensitive data streams. This provides insight into the structure and infra systems of the municipality. Questions you have to ask in this context include:
  • What data are we collecting, at which location?
  • Where and how do we store these data?
  • Who receives or has access to these data?

This enables you to gain insight into the infrastructure and systems of your organisation.

2. Determine the impact on the organisation

In order to properly assess the impact of these data streams, and therefore the risk associated with them, you first need to know how sensitive the data are. Every municipality processes large quantities of privacy-sensitive data. You are required to log these data in a processing register. This forces you to think about what personal data you store, their purpose, retention period and security. If you set up the processing register in accordance with the guidelines, you fulfil the obligation to register within the GDPR.

When all data flows, including the impact of the data, have been mapped, the team checks them against the GDPR by means of a gap analysis. You compare the current situation with the desired situation. This results in measures to fill the gaps. In some cases, internal guidelines are already available for this, which you can update. In other cases it is necessary to draw up new rules.

3. Forming and maintaining policy

The register and the gap analysis form the basis for drawing up additional policy. Based on the register, you draw up a privacy policy for both external stakeholders and your own employees. You make this policy available to everyone involved. The policy is intended to inform the parties concerned in advance about the personal data that you collect, and to inform them of their rights. Municipalities usually include the internal privacy policy in the internal regulations, and make it available on the intranet. This makes it easy for employees to consult them.

In order to ensure that employees comply with the rules in the privacy policy, it is necessary that the privacy rules come alive for them. They must become part of day-to-day practice. A data protection officer supervises compliance with the GDPR. A municipality is obliged to appoint such an internal privacy supervisor. Repeated training is also required for all employees who work with personal data. If you make them aware of the possible privacy risks of their work and combine this with a secure design of applications, secure communication flows and the use of secure tools, you will have taken major steps towards achieving a GDPR-compliant municipality.

 

GDPR Checklist

Our GDPR Checklist contains the necessary steps towards GDPR compliance. It addresses in greater detail the drafting of a processing agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.

Go to the GDPR Checklist

RELATED
Sending_or_receiving_credit_card_data_via_email_while staying_PCI_compliant

Sending or receiving credit card data via email while staying PCI compliant

To prevent cardholders’ information from falling into the wrong hands, the Payment Card Industry Data Security Standard (PCI DSS) was established to hold organizations to a common standard for securing cardholder information against unauthorized exposure and exploitation. […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
We_are_happy_to_introduc _ou _new_VP_of_sales_Chris_Brown_ZIVVER_eng_blog_update

We are happy to introduce our new VP of Global Sales: Chris Brown

"ZIVVER is entering new markets at high speed. We intend to lead in those markets. With Chris, we bring in a senior leader who has done this before multiple times. We love that he is not ‘just’ about sales. Chris has a deep, hands-on understanding of the problems our customers face and of the market space and a very inspirational and credible leader for our fast […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Cloud_based_office_support tools_that_are_U.S._rooted_fail GDPR_complianc_ZIVVER_Eng_blog

Cloud-based office support tools that are U.S. rooted, fail GDPR compliance

It is estimated that the U.S.A. supplies 80% of the global cloud computing services. And nearly all most-used cloud-based solutions for email and word processing are from the US. This causes a big issue for European companies using these vendors since they are not GDPR compliant. This is the conclusion of a research performed by the Swedish National Public Procurement […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more