One year with GDPR – now what?

Seen through EU glasses, it has been an eventful weekend. There were elections to the EU Parliament on Sunday and Saturday, May 25 2019, we marked the anniversary of the General Personal Data Regulation (GDPR). We look back on the past year and make recommendations for ¨work with GDPR compliance in future.
News
GDPR

”We have updated our privacy policy”

At the beginning of 2018, GDPR was a somewhat unknown size for many. However, as May 25 came closer, the interest in GDPR increased in many companies. The high level of fines that came with the GDPR, with the risk of penalties of up to 4% of the company's global group turnover by non-compliance, was undoubtedly contributing to data protection being set on the agenda in companies across the country.

Initially, the focus of many was to develop a personal data policy and other GDPR documentation that met the expanded disclosure requirements of the GDPR. In the days up to May 25, 2018 - and on the day itself - most people have also experienced receiving emails from various companies, saying "We have updated our personal data policy".

Many companies now have both personal data policies and internal guidelines on GDPR in place. However, the data protection area is still under constant development, and the personal data policies are therefore only worth something, if they are observed.

The one-year anniversary of the GDPR is therefore a good opportunity to look at the GDPR documentation and internal controls to ensure that there is a clear distribution of who is responsible for following up on which policies.

Create a strong data protection culture

In addition to the GDPR documentation, creating a data protection culture in the company has in many companies been an independent focus area, both at management and employee level. Many companies have also extended their guidelines for when and how employees should process personal data.

However, most people have also come to the realization that data protection work cannot consist of written guidelines alone. It requires that everyone is "in the driver’s seat" and that those, who are responsible for implementing the rules, get around in the company and talk to the employees about how they can (and must) work with data protection in everyday life.

However, in order to get everyone involved, it is also necessary that data protection does not become an obstacle to the work of everyday life, but rather something that is considered as a natural and integrated part of the company's existing business processes as far as possible, e.g. by using automation in places where it makes sense and where it can save the business for resources without compromising on security.

At the same time, it is important to remember that data protection is a parameter that companies increasingly are being assessed by, but also helps to give customers increased security and better customer experiences.

To be or not to be - Data controller or data processor

Another main theme of the first year of GDPR has undoubtedly been the data processing agreements that have given rise to many worries both in companies that buy or sell data processing services and in companies that need to advise on this subject.

When should a data processing agreement be concluded and when is a confidentiality statement sufficient? When are the parties in a collaboration each responsible for data management and when do the parties have a joint data liability? What to do if it is not at all possible to get in contact with the provider of the data processing services?

The questions are many, and it is important that the company determines which of the company's collaborating partners data processing agreements must be entered into and, in particular, the company follows up on the fact that the data processing agreements are concluded and supervises and controls the data processors and sub-processors that the companies employ.

In addition to "the division of roles", part of the data processing agreements that are likely to be more important forward-looking than it is already, is the corporate supervision and control of data processors and sub-processors.

Most data processing agreements include a right for the data controller to supervise the data processor. However, many data processing agreements do not relate specifically to how and how often the supervision has to be conducted, the documentation to be produced and who is to pay the expenses of ongoing supervision. Therefore, many companies will probably benefit from using the one-year anniversary of GDPR as an opportunity to re-evaluate the data processing agreements which have already been concluded by the company.

Lund Elmer Sandager’s suggestions

Many issues continue to arise in the work with GDPR, including both the preparation of GDPR documentation, data processing agreements and declarations of consent, and the practical work with GDPR in corporate life. Below we have therefore prepared a guiding checklist that you can use for inspiration in connection with a potential annual GDPR inspection in your company:
  1. Do we have a process for following up and updating the company's GDPR documentation?
  2. Do we have a security breach process and is there sufficient knowledge of this among the employees in the company?
  3. Have we obtained the necessary consent from both employees and customers and adhere to the obtained consent requirements of both the GDPR and the Danish Marketing Practices Act?
  4. Do we have a sufficient level of security that is tailored to the company's risk profile, including using encryption, backup and other security measures?
  5. Do we have control of the data processing agreements, including a process of compliance monitoring and supervision of data processing agreements?

If you have questions about GDPR and need help to ensure that you comply with the rules, you are always welcome to contact Lund Elmer Sandager's advisors on IT law and Personal data.

Related news

See all news
News

The Danish Data Protection Agency focuses on the processing of personal data in online competitions

In a recent case, the Danish Data Protection Agency has decided on a company’s processing and transfer of personal data in connection with offering competitions and questionnaires online.
GDPR
News

European Data Protection Agencies increase focus on cookie solutions and the use of Google Analytics

The Danish Data Protection Agency and other European data protection agencies currently have a strong focus on whether companies’ cookie solutions comply with the rules in the GDPR. It includes e.g. solutions within Google Analytics and IAB’s standard solution for cookies and advertisements, Transparency and Consent Framework (TCF), where there are many indications that Danish companies may prepare for alternative solutions.
GDPR
News

Lund Elmer Sandager strengthens its partnership with two new partners from its own ranks

It is a great pleasure that Attorney Sebastian Rungby and Attorney Torsten Hylleberg will both take up the roles as partners in Lund Elmer Sandager with retroactive effect from 1 January 2022.
GDPR
News

The Danish Data Protection Agency propose for large GDPR fines

During the summer of 2021, the Danish Data Protection Agency has imposed fines on three public authorities and two private companies in the range of DKK 150,000 – 600,000 for violating the GDPR legislation. The new size of the fines emphasizes the importance of companies ensuring an adequate level of security when processing personal data.
GDPR
News

New Standard Contractual Clauses for transfers of personal data outside the EU/EEA

On 4 June 2021, the European Commission issued new Standard Contractual Clauses (“SCC”) for use in the transfer of personal data outside the EU/EEA, which e.g. may be for a (sub) data processor in the United States.
GDPR
News

COVID-19: Restaurants and cafés are encouraged to register visiting guests

On September 7 2020, the Government held a press conference on COVID-19, in which Minister of Health Magnus Heunicke requested that restaurants and cafés offer their visiting guests the possibility to register their contact information. A request that aims to increase contact tracing as the number of people infected with covid-19 is increasing, but at the same time raises some data protection law issues for you as a restaurateur or café owner.
GDPR