Impacts of the GDPR on local and regional Authorities
Immediate application of the GDPR without a transitional period There are many misconceptions about the GDPR, thinking that a transition period will be granted, that this law does not concern local authorities or even that small municipalities are not concerned. It is therefore important to specify that no transitional period will be granted, since a period of two years has already elapsed between the amendment of the text of the law and its entry into force on 25 May next. Admittedly, it is conceivable that the controls carried out by the CNIL will not immediately concern local authorities, which will nevertheless be affected by the financial penalties incurred. In addition, it is important to notify that the Senate has adopted an amendment in favour of communities to support them in their compliance with the GDPR. The purpose of this project is to create a communication and intermunicipal endowment fund for them.
As for the public sector, all stakeholders are affected by the GDPR. No threshold has been established and even small municipalities are affected by this change and will have to appoint a Data Protection Officer (DPO).
Transfer of responsibility for compliance control The GDPR does not revolutionize the principles of personal data protection provided for in the “Data Protection Act”. The latter already has a significant level of requirements in this area, which are applied by some local authorities, which have, for example, already appointed IT and Freedom Correspondents. The major change brought about by the GDPR is based on the responsibility of the actors processing the data. It consists of implementing internal mechanisms and procedures to demonstrate compliance with data protection rules.
Local authorities are particularly concerned insofar as they process a large amount of personal data on a daily basis, and also manage an often very large number of applications (remote procedures, video surveillance, parking, etc.). These processing operations may concern sensitive data within the meaning of the GDPR (municipal police, social assistance, etc.), the security of which is a key issue.
Focus on certain points of attention specific to local authorities As a first step, local authorities must qualify their role with regard to data processing. While they are a priori responsible for the processing operations they carry out, they are likely to be co-responsible for the processing when they entrust the management of their processing operations to a third party. As a result, each local authority must have a register listing the processing operations that take place under its responsibility.
Then, they will have to anticipate and organise the appointment of a DPO, which can be shared, if necessary, between several local authorities implementing similar processing operations. For example, between several small municipalities – and, if necessary, outsourced, especially if the size of the community is not large enough. The DPO
may be responsible for maintaining the register of processing activities. The appointment of the DPO raises practical questions such as the modalities of using an intermunicipal structure in the event of mutualisation, or the conclusion of a service provision contract in the event of externalisation.
In addition, it is important for each community to strengthen contractual clauses with subcontractors. For them, it will be necessary to ensure that the services in progress are carried out in accordance with the regulatory provisions. Communities will have to check and obtain from their suppliers the necessary guarantees on their level of security. As for future orders, they will have to include clauses relating to the respect of personal data in their call for tenders.
In addition, when the processing of data is carried out using new technology and to the extent that the nature, importance, context and purposes of the processing could lead to a high risk to the rights and freedoms of the data subjects, the company will have to assess the impact of the processing on those rights and freedoms (AIPD). This is the case for communities that use video surveillance, automatic license plate reading systems for parking, or remote services for communicating and sending documents between administrations and citizens.
Finally, it is necessary for all communities to review all notices or information for their citizens. Indeed, with the GDPR, additional information must be included, such as the legal basis for the processing of the data or the duration of the data storage.
The work to comply with the GDPR is therefore considerable. Each local authority must define the priorities of the worksites, and support the various services impacted in this compliance project. Aware of the constraints weighing on local authorities, OpenField can assist you in this compliance process and provide you with all the recommendations you need to put in place to be ready for the GDPR. For more information or to schedule a complete analysis of your establishment, contact our experts today.