From May 2018, the new EU General Data Protection Regulation (GDPR) will take effect in Denmark as well as the rest of EU. This will have a huge impact on the way companies store, manage and treat personal data.
The rules in the Personal Data Act are complex and the amount of documentation required is high. If your company does not comply with the regulations when handling personal information, it may result in harsh fines
The regulation controls when and how personal information is to be processed, including collection, registration, systematization, storage, use and disclosure of these data. The overall purpose of the act is to ensure that the individual’s legal protection and integrity is not violated in connection with the processing of personal data. The Personal Data Act includes public authorities, private companies, associations, etc. Personal data is not only data collected from your customers, but also data pertaining to your employees!
The primary goal of the new EU Personal Data Regulation is to increase data security for the individual citizen through uniform rules within the EU. The regulation contains more stringent requirements for IT security, organizational security and information and consent requirements. Violations can result in large fines of up to 4% of the annual worldwide turnover of a corporation!
Principles when processing data under GDPR
- Lawfulness and fairness: Personal data will be processed in a lawful and fair manner and in accordance with the data subjects’ rights.
- Purpose limitation: Personal data will only be collected for specified, explicit and legitimate purposes. Further, personal data will solely be used for the purposes for which the data was originally collected for.
- Transparency: When collecting personal data from data subjects or via third parties, it will be ensured that the data subject(s) in question will be provided with the information required by applicable law. Furthermore, data subjects are at all times entitled to request information on what personal data is collected about them.
- Data minimisation: Any personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy: Any personal data processed shall be accurate and, where necessary, kept up to date.
- Storage limitation and retention: Personal data will only be processed in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are collected and processed. Retention procedures and policies to ensure personal data is deleted in a correct manner must be in place.
- Confidentiality: Any personal data that is processed are regarded as confidential information. Companies must guarantees confidentiality by ensuring its employees are aware of the confidential nature of personal data and by educating its employees on how personal data may be processed.
What do I need to do?
- Update or create internal data policies and processes
- Inform and train your organisation on how to implement these policies and processes
- Monitor that the policies and processes are up to date and implemented correctly. If your organization is large enough, you must assign a Data Protection Officer who is responsible for this.
What does this mean for my IT systems?
It means that you need to make sure your IT systems and IT partners live up to the regulation.
- Create Data Processing Agreements with all data suppliers, including but not limited to hosting, billing, payroll, marketing and advertising services that process your data
- If your data processer is located or stores data without EU borders, further documentation is required in order to comply.
- Make sure your IT systems can comply with the new rules.
- Inform and gain consent to and from all data subjects before collecting data
- Information must be given on what data you collect, how it is used and whom you share data with
- Consent must be given on an opt-in basis, meaning that data subjects must explicitly give their permission
- Data subjects whom you have collected data on, must be able to:
- Get a list of all the data
- Have all their data deleted
- Have all their data exported, in a way that makes it possible for them to move data to a competitor
- Have their data updated
- Systems must be designed with privacy in mind, meaning that:
- No more than the needed data must be collected and stored
- Data must be erased, when there is no longer a valid reason to store it
- Data must be protected, so that it will only be available for individuals and processes that have a valid reason to access it
- Security must be thought of as an integral part of the systems
- Access control and logging of access entries
- Data must be encrypted, anonymized and controlled in such a manner, that no one without proper access can read, edit or delete any data. This also applies to backup data, printed data etc.!
- Inform and gain consent to and from all data subjects before collecting data
Let us, help you to comply with the new rules, and you will not only be able to avoid risking violations; you can also brand your company as being conscience about your customer’s personal information. We can help you formulate your data policies, using our experience working with one of the major law firms in Denmark, prepare your IT systems and make a risk analysis of your organizations processes in regards to the General Data Protection Regulation, GDPR.