In 2020, many local authorities were found to be behind in their GDPR compliance. Prioritization is essential for reviewing the governance of data processed by these entities. The steps to be applied for their GDPR compliance are the same as for a private company, knowing that the designation of a data protection officer is mandatory.
Why do local authorities need to comply with GDPR?
The importance of data processing carried out by local authorities, technological challenges raised by the modernization of the administration, or the development of cybercrime are good reasons for local authorities to accelerate the GDPR compliance of their processing.
Many personal data processing activities
Local authorities are called upon to process a lot of personal data for various purposes:
- Of citizens and users (cadastral data; civil status; invoicing for services provided to parents; data relating to social housing, etc.)
- Of employees (access management to premises, staff files, job seekers’ files, pay files, etc.)
- Social assistance organizations or municipal police are examples of entities processing sensitive data with a vital GDPR compliance issue.
An upward phase of modernization of municipalities
For several years, local authorities have been modernizing. They are launching many projects that complicate and enrich their IT park.
Each project presents its constraints regarding personal data protection and IT security.
- Video surveillance systems
- Biometric access control to certain premises
- Geolocation of the fleet of vehicles made available to staff
- Digitization of many procedural acts
- Tele-services
- Innovative smart cities projects
Cybercrime, an increasing threat to data controllers
Cybersecurity has become a growing concern for the GDPR compliance of personal data processing activities. Local authorities are no exception.
- The threats are exploding. Ransomware, phishing, or scams are very trendy…
- Cyber pirates are now targeting local authorities without neglecting private companies.
Local authorities must, therefore, ensure that basic technical and organizational measures are in place and implemented in each new project.
Open data, a vital issue for local authorities
Local authorities are increasingly taking up the open data phenomenon. By making data sets available, they exercise their missions of transparency in public life, the attractiveness of territories, and support for innovation.
Of course, if the base contains personal data, GDPR compliance and IT and freedom issues will naturally arise. That is why in 2019, the National Commission for Informatics and Freedoms and the Commission for Access to Administrative Documents published a good practice guide.
Compliance now late
Two years after the entry into force of the General Data Protection Regulation (GDPR), it is clear that many local authorities still need to be fully compliant.
Given the difficulties encountered by these organizations, the CNIL published a good practice guide in 2019.
A piece of eventful news rich in the data processing
Eventful report sometimes makes the data processing of tomorrow. For example, in 2020, local authorities had to deal with two significant events involving the processing of personal data:
- Organizing municipal elections
- We manage the confinement locally, for example, by organizing the distribution of masks to the population or by telephone monitoring the most vulnerable people.
How should local authorities manage their GDPR compliance?
The steps for managing GDPR compliance are the same as for any company. Designation of a DPO, formalization of processes, and development of a security framework are essential steps that local authorities must undertake.
Designation of a data protection officer
To achieve comprehensive compliance with the processing activities, processes must be implemented to integrate GDPR requirements into projects effectively.
In the case of local authorities, the designation of a data protection officer is a legal obligation.
To achieve overall compliance with the treatments, processes are needed to integrate GDPR requirements into projects effectively.
In the case of local authorities, the designation of a data protection officer is a legal obligation. However, choosing a person with the required skills and expertise who is also independent of other departments is essential.
Regardless, the DPO will oversee data governance by building an action plan prioritizing efforts towards projects that pose the most risk to data protection and towards the largest non-conformities.
Register of processing activities and documentation
Like any entity, the DPO must map out the implemented treatments and document their main characteristics (data subjects, type of data, recipients, security measures, retention period, etc.).
This register will allow for the management of the level of compliance with treatments and the creation of documentation for the supervisory authority.
Managing subcontracting
Like any organization, local authorities rely on a park of suppliers and service providers who may handle personal data. It is, therefore, essential to contract with these actors and:
- Specify the roles and responsibilities of each party
- Define the obligations of the subcontractor
- Identify and secure transfers of data outside the EU
Establishing the necessary internal processes for good data governance
These processes include:
- They are handling complaints regarding access, rectification, or erasure of data or opposition to their processing. A procedure will be formalized to sequence the steps to be taken. Identifying the stakeholders who need to be involved will also be necessary.
- Auditing treatments to verify compliance
- It detects security flaws and reports possible personal data breaches to the CNIL within 72 hours. The detection of such a flaw must trigger the activation of a crisis unit that will lead the investigations but also manage the relationship with the CNIL, inform those concerned, and control the incident.
For governance to work, it must permeate many other processes that structure the activity of local authorities—for example, managing changes in suppliers or constructing access authorization policies.
Managing the security of data processing
Data processing security is part of the basic foundation of a GDPR compliance approach. The IT system is only protected if the foundation exists, and each new technological project worsens the situation.
Therefore, local authorities must deploy an IT security policy as much as possible based on analyzing existing risks. Once again, it is necessary to prioritize and deal with the most critical infrastructures first.
Applying privacy by design approach – Launching Privacy Impact Assessments (PIAs)
GDPR imposes a global approach to compliance that is based on concepts such as:
- Accountability: Analyzing risks, determining the best measures to address them, and documenting the choices made. In the end, the local authority must be able to demonstrate compliance with its treatments in case of inspection.
- Privacy by design and default: The specifications of projects must therefore integrate requirements that correspond concretely to the obligations imposed by the regulation. Examples include minimizing collected data, restricting access, automatic purging, limited retention periods, selecting service providers who comply with legal obligations, etc.
Local authorities will likely implement sensitive projects, including biometric access management devices. These projects must be subject to a prior Data Protection Impact Assessment (DPIA), whose results will enrich the specifications to be integrated into the project.
Conclusion: it is urgent to comply with GDPR
The delay in compliance efforts, the fascinating challenges posed by the arrival of new projects related to the modernization of administration, and unknown cyber risks mean that local authorities must advance the compliance of their operations.
In this regard, 2020 is particularly suitable due to the recent occurrence of an unexpected confinement period necessary to control the coronavirus epidemic.
