Four candles for the privacy law
Four years ago on 25 May 2018, the GDPR came into force. It introduced more rules for organisations to ensure that they would be accountable for how they process personal data. The privacy law was also supposed to give people more say and control.
Bits of Freedom wondered how well the law works in practice. So, they decided to conduct research among municipalities. These are per-eminently the organisations that process many different and very sensitive personal data of citizens, often without citizens having a choice in the matter. Municipalities may and must process personal data because of a legal task or obligation.
Bits of Freedom chose the ten largest municipalities in the Netherlands: Amsterdam, Rotterdam, The Hague, Utrecht, Eindhoven, Groningen, Tilburg, Almere, Breda and Nijmegen. Firstly, because these ten municipalities, added together, process the data of about 3.8 million people. Secondly, small municipalities regularly outsource work to large municipalities, so the state of affairs in large municipalities is also relevant for smaller municipalities. Third, large municipalities serve as role models for smaller municipalities. Bits of Freedom has submitted a request for information to the ten largest municipalities asking them to send them all the reports of the Data Protection Officers from 2017 until now, together with all the reports on information security. Bits of Freedom also asked them to share with us the internal responses to these reports. On the fourth anniversary of the GDPR Bits of Freedom published their report based on these documents.