News

One year with GDPR – now what?

Published
28 May 2019
Seen through EU glasses, it has been an eventful weekend. There were elections to the EU Parliament on Sunday and Saturday, May 25 2019, we marked the anniversary of the General Personal Data Regulation (GDPR). We look back on the past year and make recommendations for ¨work with GDPR compliance in future.

”We have updated our privacy policy”

At the beginning of 2018, GDPR was a somewhat unknown size for many. However, as May 25 came closer, the interest in GDPR increased in many companies. The high level of fines that came with the GDPR, with the risk of penalties of up to 4% of the company's global group turnover by non-compliance, was undoubtedly contributing to data protection being set on the agenda in companies across the country.

Initially, the focus of many was to develop a personal data policy and other GDPR documentation that met the expanded disclosure requirements of the GDPR. In the days up to May 25, 2018 - and on the day itself - most people have also experienced receiving emails from various companies, saying "We have updated our personal data policy".

Many companies now have both personal data policies and internal guidelines on GDPR in place. However, the data protection area is still under constant development, and the personal data policies are therefore only worth something, if they are observed.

The one-year anniversary of the GDPR is therefore a good opportunity to look at the GDPR documentation and internal controls to ensure that there is a clear distribution of who is responsible for following up on which policies.

Create a strong data protection culture

In addition to the GDPR documentation, creating a data protection culture in the company has in many companies been an independent focus area, both at management and employee level. Many companies have also extended their guidelines for when and how employees should process personal data.

However, most people have also come to the realization that data protection work cannot consist of written guidelines alone. It requires that everyone is "in the driver’s seat" and that those, who are responsible for implementing the rules, get around in the company and talk to the employees about how they can (and must) work with data protection in everyday life.

However, in order to get everyone involved, it is also necessary that data protection does not become an obstacle to the work of everyday life, but rather something that is considered as a natural and integrated part of the company's existing business processes as far as possible, e.g. by using automation in places where it makes sense and where it can save the business for resources without compromising on security.

At the same time, it is important to remember that data protection is a parameter that companies increasingly are being assessed by, but also helps to give customers increased security and better customer experiences.

To be or not to be - Data controller or data processor

Another main theme of the first year of GDPR has undoubtedly been the data processing agreements that have given rise to many worries both in companies that buy or sell data processing services and in companies that need to advise on this subject.

When should a data processing agreement be concluded and when is a confidentiality statement sufficient? When are the parties in a collaboration each responsible for data management and when do the parties have a joint data liability? What to do if it is not at all possible to get in contact with the provider of the data processing services?

The questions are many, and it is important that the company determines which of the company's collaborating partners data processing agreements must be entered into and, in particular, the company follows up on the fact that the data processing agreements are concluded and supervises and controls the data processors and sub-processors that the companies employ.

In addition to "the division of roles", part of the data processing agreements that are likely to be more important forward-looking than it is already, is the corporate supervision and control of data processors and sub-processors.

Most data processing agreements include a right for the data controller to supervise the data processor. However, many data processing agreements do not relate specifically to how and how often the supervision has to be conducted, the documentation to be produced and who is to pay the expenses of ongoing supervision. Therefore, many companies will probably benefit from using the one-year anniversary of GDPR as an opportunity to re-evaluate the data processing agreements which have already been concluded by the company.

Lund Elmer Sandager’s suggestions

Many issues continue to arise in the work with GDPR, including both the preparation of GDPR documentation, data processing agreements and declarations of consent, and the practical work with GDPR in corporate life. Below we have therefore prepared a guiding checklist that you can use for inspiration in connection with a potential annual GDPR inspection in your company:
  1. Do we have a process for following up and updating the company's GDPR documentation?
  2. Do we have a security breach process and is there sufficient knowledge of this among the employees in the company?
  3. Have we obtained the necessary consent from both employees and customers and adhere to the obtained consent requirements of both the GDPR and the Danish Marketing Practices Act?
  4. Do we have a sufficient level of security that is tailored to the company's risk profile, including using encryption, backup and other security measures?
  5. Do we have control of the data processing agreements, including a process of compliance monitoring and supervision of data processing agreements?

If you have questions about GDPR and need help to ensure that you comply with the rules, you are always welcome to contact Lund Elmer Sandager's advisors on IT law and Personal data.