17 March 2020
GDPR: Specific tips on how to avoid fines
Less than two years ago, the EU General Data Protection Regulation came into force and now many companies face fines. The judgements help concretise GDPR and with it the actions which your company has to take in order to comply with the regulation. It is therefore a good idea to place your GDPR efforts under scrutiny and we will provide you with some good advice as to how you can go about it.
Evaluate the risk and take action
A good place to start is a risk assessment where you look into which personal data you have, how they are processed and how big the risk is that unauthorised persons gain access to them. If you estimate that the data are not sufficiently protected, the next step is a clarification of which steps you need to take to increase the security.
Multi Factor Authentication, which also comprises a two-step approval, may be a relevant initiative. With a two-step approval, an extra step in the login process is added requiring a login on computer and mobile which we all know from the NemID app. In Hesehus, two-step approval is a step which we have decided to add to a number of accesses in the house such as login to Windows and VPN in order to increase the data security for our customers.
Have you already made a risk assessment or would you like to put your present assessment under the magnifying glass? Take a look at the Danish Data Protection Agency's guide to risk assessments.
Have you remembered the social media?
Company pages on the social media such as Facebook and the data collected here are also covered by GDPR. It is therefore important to ensure that you have entered a data processing agreement with Facebook.
Get the Danish Data Protection Agency’s advice in connection with Facebook here.
How to help our customers
In the capacity of our work with the requirements which GDPR imposes on data processors, we have built a strong knowhow and we are happy to help our customers to prepare an analysis of the personal data which we have in our possession through our solution. The analysis contains the following:
- Mapping of personal data and who has access to it – including third party integrations.
- Evaluation of present data processing procedures – including deleting, export and filling of data.
- Review of technical and organisational protection – including division of responsibilities in practice.
Based on the analysis, we prepare a report for you that includes documentation of the above items and recommendations to the possible steps which you may take to increase the data security further. In addition, we always recommend that based on the report, you enter into a dialogue with your own legal advisors and together with them prepare a final evaluation of which specific actions to take.