Make your municipality GDPR-compliant: 3 to dos

A large number of administrative actions ensue from the General Data Protection Regulation (in Dutch AVG, in English GDPR) your organisation is still resisting and time is running out. Organisations must bring their operations in line with the GDP before 25 May 2018.

You have undoubtedly already taken the necessary steps to improve data protection within your municipality. But perhaps this is not enough for compliance with the GDPR. How can you be sure that you are meeting all the requirements? Keeping an overview is important in this respect. In this blog we provide a clear picture of the steps you need to take in order to be ready for the new law.

Phased Plan


Start by putting together the right team. The ideal core team consists of a lawyer, a privacy expert and an IT professional. They involve the responsible managers and content specialists in each department.

1. Gaining insight

Map all data flows. As there can be a lot of these, it is sensible to start with the most important or most sensitive data streams. This provides insight into the structure and infra systems of the municipality. Questions you have to ask in this context include:
  • What data are we collecting, at which location?
  • Where and how do we store these data?
  • Who receives or has access to these data?

This enables you to gain insight into the infrastructure and systems of your organisation.

2. Determine the impact on the organisation

In order to properly assess the impact of these data streams, and therefore the risk associated with them, you first need to know how sensitive the data are. Every municipality processes large quantities of privacy-sensitive data. You are required to log these data in a processing register. This forces you to think about what personal data you store, their purpose, retention period and security. If you set up the processing register in accordance with the guidelines, you fulfil the obligation to register within the GDPR.

When all data flows, including the impact of the data, have been mapped, the team checks them against the GDPR by means of a gap analysis. You compare the current situation with the desired situation. This results in measures to fill the gaps. In some cases, internal guidelines are already available for this, which you can update. In other cases it is necessary to draw up new rules.

3. Forming and maintaining policy

The register and the gap analysis form the basis for drawing up additional policy. Based on the register, you draw up a privacy policy for both external stakeholders and your own employees. You make this policy available to everyone involved. The policy is intended to inform the parties concerned in advance about the personal data that you collect, and to inform them of their rights. Municipalities usually include the internal privacy policy in the internal regulations, and make it available on the intranet. This makes it easy for employees to consult them.

In order to ensure that employees comply with the rules in the privacy policy, it is necessary that the privacy rules come alive for them. They must become part of day-to-day practice. A data protection officer supervises compliance with the GDPR. A municipality is obliged to appoint such an internal privacy supervisor. Repeated training is also required for all employees who work with personal data. If you make them aware of the possible privacy risks of their work and combine this with a secure design of applications, secure communication flows and the use of secure tools, you will have taken major steps towards achieving a GDPR-compliant municipality.

 

GDPR Checklist

Our GDPR Checklist contains the necessary steps towards GDPR compliance. It addresses in greater detail the drafting of a processing agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.

Go to the GDPR Checklist

RELATED
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more
Idans welcome blog (2)

We are happy to announce our Chief Technology Officer: Idan York.

Idan will be responsible for vision outlining and implementation of technological strategies that align with ZIVVER’s expansion objectives. […]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

[…]

Read more
Human_error_is_the_primary_cause_of_most_data_leaks_The_Dutch_lend_a_helping_hand_pointing_ out_the_cause_ZIVVER_EN_blog-1

Human error is the primary cause of most data leaks. The Dutch lend a helping hand pointing out the causes

[…]

Read more
shutterstock_274821560 (1)

How to make your employees aware of the importance of secure information processing

Some organisations are already GDPR compliant, others still have work to do to meet the legal requirements. To achieve this, a set of technical and organisational measures is required. There are many step-by-step plans on the Internet to help you with these measures. It is even more important yet to raise the awareness among your organisation’s employees. This is very […]

Read more
shutterstock_219503161 (1)

What is the difference between personal data and privacy-sensitive information?

The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]

Read more