Make your municipality GDPR-compliant: 3 to dos

A large number of administrative actions ensue from the General Data Protection Regulation (in Dutch AVG, in English GDPR) your organisation is still resisting and time is running out. Organisations must bring their operations in line with the GDP before 25 May 2018.

You have undoubtedly already taken the necessary steps to improve data protection within your municipality. But perhaps this is not enough for compliance with the GDPR. How can you be sure that you are meeting all the requirements? Keeping an overview is important in this respect. In this blog we provide a clear picture of the steps you need to take in order to be ready for the new law.

Phased Plan

Start by putting together the right team. The ideal core team consists of a lawyer, a privacy expert and an IT professional. They involve the responsible managers and content specialists in each department.

1. Gaining insight

Map all data flows. As there can be a lot of these, it is sensible to start with the most important or most sensitive data streams. This provides insight into the structure and infra systems of the municipality. Questions you have to ask in this context include:
  • What data are we collecting, at which location?
  • Where and how do we store these data?
  • Who receives or has access to these data?

This enables you to gain insight into the infrastructure and systems of your organisation.

2. Determine the impact on the organisation

In order to properly assess the impact of these data streams, and therefore the risk associated with them, you first need to know how sensitive the data are. Every municipality processes large quantities of privacy-sensitive data. You are required to log these data in a processing register. This forces you to think about what personal data you store, their purpose, retention period and security. If you set up the processing register in accordance with the guidelines, you fulfil the obligation to register within the GDPR.

When all data flows, including the impact of the data, have been mapped, the team checks them against the GDPR by means of a gap analysis. You compare the current situation with the desired situation. This results in measures to fill the gaps. In some cases, internal guidelines are already available for this, which you can update. In other cases it is necessary to draw up new rules.

3. Forming and maintaining policy

The register and the gap analysis form the basis for drawing up additional policy. Based on the register, you draw up a privacy policy for both external stakeholders and your own employees. You make this policy available to everyone involved. The policy is intended to inform the parties concerned in advance about the personal data that you collect, and to inform them of their rights. Municipalities usually include the internal privacy policy in the internal regulations, and make it available on the intranet. This makes it easy for employees to consult them.

In order to ensure that employees comply with the rules in the privacy policy, it is necessary that the privacy rules come alive for them. They must become part of day-to-day practice. A data protection officer supervises compliance with the GDPR. A municipality is obliged to appoint such an internal privacy supervisor. Repeated training is also required for all employees who work with personal data. If you make them aware of the possible privacy risks of their work and combine this with a secure design of applications, secure communication flows and the use of secure tools, you will have taken major steps towards achieving a GDPR-compliant municipality.


GDPR Checklist

Our GDPR Checklist contains the necessary steps towards GDPR compliance. It addresses in greater detail the drafting of a processing agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.

Go to the GDPR Checklist

shutterstock_219503161 (1)

What is the difference between personal data and privacy-sensitive information?

The GDPR is a hot topic. Due to all messages in the media, many myths circulate about this topic. A frequently-heard comment is: but it is related to privacy, and so it is forbidden under the GDPR anyway, right? To understand correctly what the law requires and what are the reasons for that, you should know what personal data are and how this differs from […]

Read more

The 3 most important things you need to account for in order to become GDPR compliant

The General Data Protection Regulation (GDPR) is a European law that protects the privacy of European citizens on the one side and helps to create awareness in processing personal information on the other. Thanks to GDPR, CISO’s like you have a lot of extra work to do. The amount of administrative proceedings that result from the GDPR is huge, your organisation […]

Read more
Untitled design

4 misconceptions about safe email

The European General Data Protection Regulation (GDPR) made the topic of privacy protection an important agenda item for every company. Almost all the time, risk analysis brings up email traffic as a very risky part. In the meantime however, I often encounter organisations that are pretty sure in their statement that the have their email traffic safe and under control. […]

Read more