The agreement sets as objectives the verification of the degree of adequacy of the City Council to the measures and controls specified in the GDPR and the LOPDGDD as well as in its implementing regulations, identifying its shortcomings and proposing the necessary corrective or complementary measures, according to the protocols of the Spanish Data Protection Agency.
At the same time, the contract requires verification of whether the processing operations registered in the Madrid City Council's Registry of Activities comply with the provisions of the RGPD and the LOPDGDD, in addition to establishing the methodology required for the implementation of both regulations and for carrying out risk analyses and data protection impact assessments.
Following the guidelines, and as a step prior to the start of the project, we carried out a preliminary analysis of all data processing carried out by the municipality, and established a methodology for the implementation of risk analysis techniques and impact assessments, through the pilots foreseen by the RGPD, the National Security Scheme and other recommendations of the Spanish Data Protection Agency.
The project, which has been carried out in 12 weeks, was divided into two 30-day phases. And it has been carried out by a technical director, two experts in data protection and an expert in technology applied to data protection.
Prior data control structure of the consistory
The City Council has so far had a Database of the data Treatment Activities (BDAT), which includes the information required in the regulations for the RAT -registration of activities treatment -, as well as additional information on each treatment, necessary for the management of data protection. This BDAT includes information from almost 350 treatments, more than 80 controllers and almost 120 interlocutors on data protection matters.
In the Madrid consistory, the role of data protection delegate is exercised by the General Director of Transparency, Electronic Administration and Quality through the Office of the Data Protection Delegate (ODPD), while the responsibility for the treatment corresponds to the City Council management centers, which are located in Government Areas, Districts and autonomous bodies.
Applying this new developed methodology, the Madrid City Council has managed to verify the degree of regulatory compliance in the field of data protection as well as establish a methodology appropriate to its reality with which to ensure the achievement of the objectives over time.