5 February 2018

GDPR - the new General Data Protection Regulation

On 25 May 2018, EU’s new General Data Protection Regulation becomes effective. The new regulation highly emphasises documentation, and the consequence of not having one’s data under control may be fined with up to 4% of your annual turnover. We help you to become ready.

What is GDPR?

In 2016, new rules were adopted for processing of personal data, known as GDPR (General Data Protection Regulation), which becomes effective on 25 May 2018. For Danish companies, the new rules replace the Act on Processing of Personal Data from 2001.

Basically, GDPR is a modernisation of the old law on processing of personal data which no longer can keep up with the technological development. This means that the articles of the new General Data Protection Regulation are more or less unchanged, however, with increased attention to compliance and thus increased risk of penalty, while other articles involve new initiatives.

With the increased risk of penalty and the very high fines, the companies are forced to get a total overview and control of their data processing flow. Many companies have previously not attached much importance to personal data security since it has not been considered as particularly business critical but with the new General Data Protection Regulation, it will be a competitive parameter to have one’s data under control – a parameter which we would be happy to help you win!

Right to be forgotten

The largest attention regarding the new General Data Protection Regulation is concentrated on the right of the data subjects to be forgotten. In reality, this right is not new but the increased attention in the new General Data Protection Regulation means that you as a company must have the processing and storage of your data under total control to live up to the requirement.

First of all, all data subjects – in your case this is most often your customers – shall voluntarily, specifically and ambiguously have given their consent to your processing of their personal data. In addition, it shall be possible for the data subjects to have access to the personal data at any time which you as a company have on the person in question, have the option of changing and have information updated and at any time have the opportunity of having the information deleted or anonymised.

For this to be possible, it is therefore important that you can document your processing of personal data, including: collection, registration, storage, adjustment or modification, recovery, use, transmission, linking or integration, limitation, deletion or destruction. This means that the first and largest step towards living up to the new General Data Protection Regulation is that you map and document where, how, when and by whom your data is processed.

The 7 principles of the regulation

Lawful, fair and transparent processing
Consent and information about the controller shall be given and processing of data must be available

Purpose limitation
A specific purpose for the collection of data must exist

Data minimization
The company only collects data which is relevant

Accuracy
Data must be updated to ensure that the information is always correct

Storage limitation
Data shall only be stored as long as it is necessary

Confidential and secure​​​​​​​
Data must be processed confidentially and reliably

Accountability and liability
The company is responsible for compliance of the principles and the burden of proof rests with the company

Checklist from DI Digital

To help companies with an overview of the new General Data Protection Regulation, DI Digital has developed a checklist with questions related to the most important issues. It is therefore important that you can answer these questions:

1. Are you subject to the regulation?

2. Is the information that you want to process subject to the regulation; is the information to be considered personal data?

3. What categories of personal data do you want to process?

4. What processing operations do you want to make?

5. Do you play a role as controller or processer in relation to the specific processing operations?

6. Do you have a legal basis to process the requested categories of personal data?

7. Do you fulfil the principles for processing the data?

8. Is the processing required (proportional)?

9. Can you handle information in a less intrusive way and still achieve the purpose?

10. Do you fulfil the rights of data subjects when processing personal data?

11. Do you fulfil your obligations (including transfer and security) by processing personal data?

12. Do special conditions apply for your processing of personal data?

At www.di.dk/persondata, DI also offers a number of specific tools to help companies implement the General Data Protection Regulation and the various items in the checklist.

This is how we help our customers

In Hesehus, we would like to help our customers get ready for the new legislation by preparing an analysis of the personal data you are in possession of through our solution. The analysis contains the following:

  • mapping of personal data and who has access to it – including third party integrations.
  • identification of areas which do not live up to the regulation at present – including consent for the collection of data and deletion, export and filling of data.
  • review of technical and organisational protection – including division of responsibilities in practice.

Based on the analysis, we prepare a report for you which contains documentation of the above-mentioned items and recommendations for necessary changes such as the handling of the use of third party software, division of user access and similar allowing you to live up to the new General Data Protection Regulation.

Furthermore, we will of course also help you with the preparation of a data processor agreement between you and us as a supplier. The purpose of the data processor agreements is to ensure that the requirements, which you have to comply with as controller, are satisfied and apply to your suppliers.

The countdown has started!

New legislation can be a handful and it often ends up being postponed because it is time-consuming to get acquainted with – but a lot of money can be at risk.

Companies that do not comply with the new General Data Protection Regulation on 25 May 2018 may risk fines of up to 4% of the annual turnover or a maximum of EUR 20 million.

It is therefore important that you get an overview of the new rules and what they mean to you.

Call us and let us together make sure that you are 100% ready when the new General Data Protection Regulation becomes effective in May.

More news

More news from Hesehus