“We take the handling of personal data very seriously, and, of course, we must also comply with the new regulations. Not because we are afraid of incidents, but because our citizens must feel secure with us”, says Marianne Bo Krowicki, information security coordinator and soon-to-be DPO in Brøndby Municipality.
Like all other public and private organisations, the municipality must relate to the upcoming personal data rules – or the General Data Protection Regulation (GDPR). The regulation becomes effective as of May 2018 and sets up a series of new criteria for the treatment of personal data.
From the outset, Brøndby Municipality chose to rely on a spreadsheet to manage the GDPR effort. But it quickly became clear that – in Marianne Bo Krowickis words – “it was very confusing and rather inefficient”.
So instead, the municipality launched a process where the Danish developed tool, RISMAgdpr, is used to identify areas in which personal data is managed, to systemise data handling and even to document the work in accordance with the new regulation.
“The tool is easy to use for the employees even after just one workshop, and the work is progressing surprisingly fast. We are almost done with the Personnel Department, after which we will continue with the Social and Health Administration in February, then comes the Child, Culture and Sports Administration, the Technical Administration and finally our own Central Administration. This means we will be ready in due time before the new GDPR becomes effective as of May 25th, Marianne Bo Krowicki states.
Once the work is completed, the Administration will have a complete overview of where sensitive personal data is handled and which safety measures they are surrounded by.
“We are working through everything and, at the same time, we are checking whether personal data is kept for instance on file drives or other places where they should absolutely not be stored. The Administration themselves get to work hands on with the substance, get things sorted out and become aware of whether or not they are doing things right. This can, for instance, mean whether all data processor agreements are in place, who information is exchanged with, and other practical and formal circumstances which one might otherwise not think much about on a daily basis. We get our definitions honed and work through everything. It is most reassuring”, says Marianne Bo Krowicki.
She originally became aware of RISMAgdpr during a course run by legal company Plesner and decided to give it a try.
“I have great respect for Plesner, and they were deeply involved in developing the tool, so this was in fact our guarantee that all the legal aspects were in place. Thus, if we were to take our starting point here, we would become compliant and avoid surprises to as great an extent as possible”, Marianne Bo Krowicki says.
But even though Brøndby Municipality is taking a thorough approach to the GDPR work, she does not think they are going too far.
“Of course, this tool is not free, but the price seems very fair. Especially because it aids us in saving time and quite a lot of resources by systemising the effort and getting things done right the first time around.”
Read more about RISMAgdpr