Make your municipality GDPR-compliant: 3 to dos

3 min read
shutterstock_324371054 (1)

shutterstock_324371054 (1)

A large number of administrative actions ensue from the General Data Protection Regulation (in Dutch AVG, in English GDPR) your organisation is still resisting and time is running out. Organisations must bring their operations in line with the GDP before 25 May 2018.

You have undoubtedly already taken the necessary steps to improve data protection within your municipality. But perhaps this is not enough for compliance with the GDPR. How can you be sure that you are meeting all the requirements? Keeping an overview is important in this respect. In this blog we provide a clear picture of the steps you need to take in order to be ready for the new law.

Phased Plan

Start by putting together the right team. The ideal core team consists of a lawyer, a privacy expert and an IT professional. They involve the responsible managers and content specialists in each department.

1. Gaining insight

Map all data flows. As there can be a lot of these, it is sensible to start with the most important or most sensitive data streams. This provides insight into the structure and infra systems of the municipality. Questions you have to ask in this context include:
  • What data are we collecting, at which location?
  • Where and how do we store these data?
  • Who receives or has access to these data?

This enables you to gain insight into the infrastructure and systems of your organisation.

2. Determine the impact on the organisation

In order to properly assess the impact of these data streams, and therefore the risk associated with them, you first need to know how sensitive the data are. Every municipality processes large quantities of privacy-sensitive data. You are required to log these data in a processing register. This forces you to think about what personal data you store, their purpose, retention period and security. If you set up the processing register in accordance with the guidelines, you fulfil the obligation to register within the GDPR.

When all data flows, including the impact of the data, have been mapped, the team checks them against the GDPR by means of a gap analysis. You compare the current situation with the desired situation. This results in measures to fill the gaps. In some cases, internal guidelines are already available for this, which you can update. In other cases it is necessary to draw up new rules.

3. Forming and maintaining policy

The register and the gap analysis form the basis for drawing up additional policy. Based on the register, you draw up a privacy policy for both external stakeholders and your own employees. You make this policy available to everyone involved. The policy is intended to inform the parties concerned in advance about the personal data that you collect, and to inform them of their rights. Municipalities usually include the internal privacy policy in the internal regulations, and make it available on the intranet. This makes it easy for employees to consult them.

In order to ensure that employees comply with the rules in the privacy policy, it is necessary that the privacy rules come alive for them. They must become part of day-to-day practice. A data protection officer supervises compliance with the GDPR. A municipality is obliged to appoint such an internal privacy supervisor. Repeated training is also required for all employees who work with personal data. If you make them aware of the possible privacy risks of their work and combine this with a secure design of applications, secure communication flows and the use of secure tools, you will have taken major steps towards achieving a GDPR-compliant municipality.


GDPR Checklist

Our GDPR Checklist contains the necessary steps towards GDPR compliance. It addresses in greater detail the drafting of a processing agreement, obtaining permission for the processing of personal data, the security measures to be taken and the obligation to report data leaks.


Written by
Picture of Eva Malten

Eva Malten

Eva studeerde Nederlandse taal en cultuur in haar favoriete stad: Utrecht. Daarna ontwikkelde ze zich tot communicatiemedewerker en werkte bij diverse uitgeverijen en de Bibliotheek Utrecht. Ze houdt van lezen en schrijven en is gespecialiseerd in compacte teksten met een heldere boodschap. Ze voelt zich thuis in het energieke en enthousiaste team van ZIVVER. In haar vrije tijd gaat Eva met haar gezin op stap in Utrecht of staat ze in de keuken om een taart te bakken.

Originally published on June 29, 2018

Last update on June 29, 2018