The Tax and Customs Administration is an executive agency of the Dutch government, responsible for levying and collecting taxes, paying out benefits and enforcing tax laws and regulations. Due to the scope, complexity and social impact of its services, the organisation processes large amounts of personal data. This means that high standards apply to information security, privacy and data quality.

Within this framework, the Tax and Customs Administration worked to strengthen compliance with the General Data Protection Regulation (GDPR), with a particular focus on providing insight into risks and ensuring compliance within various business processes. To this end, fourteen GDPR quick scans were carried out, systematically mapping out processes and data processing. The planning encouraged timely delivery, so that the results could contribute directly to internal reporting and decision-making.

Issue

The central issue concerned identifying, prioritising and mitigating high GDPR risks within various business processes. The objective was to achieve full compliance before the set deadline, ensuring compliance with legislation, regulations and internal guidelines. In addition, it was essential to provide management with clear insight into the progress, risks and outcomes of the quick scans, so that timely and well-founded decision-making remained possible.

Approach

The project was carried out using a structured and results-oriented approach. Project plans were drawn up and coordinated, including tight schedules, weekly progress reports and final reports for management. Acceleration sessions were organised to analyse risks in depth and to develop mitigating measures or acceptance strategies together with subject matter experts, privacy experts and business analysts.

Thanks to frequent progress reports and timely escalation in the event of delays or capacity issues, management was kept constantly informed with up-to-date insights. High-priority risks were accepted or mitigated in a timely manner in accordance with the GDPR and BIO guidelines.
Throughout the project, direct reporting took place to senior management, with progress, points of attention and necessary decisions being regularly coordinated.

Project activities and multidisciplinary teams were managed with a constant focus on compliance with legislation, regulations and internal frameworks. Stakeholder relationships were actively managed and, where possible, process improvements were implemented to increase efficiency and quality. In addition, a Risk Appetite Statement was drawn up and formalised, clearly defining the organisation's risk appetite and strengthening decision-making around risk management.

Result

This approach led to the successful completion of all fourteen quick scans within the set deadlines. The most significant GDPR risks were mitigated or formally accepted in a timely manner, thereby achieving demonstrable compliance with the GDPR and BIO guidelines. The organisation now has a complete risk profile, clear control measures and a formalised Risk Appetite Statement that provides direction for future risk management. In addition, processes have been streamlined, cooperation has been improved and the structural safeguarding of privacy and information security has been strengthened.

For more questions or information on this topic

Dilaan Mahwe