Publiceret: 30.04.2018Af Uffe Hansen mail
The threat of major fines for incorrect handling of personal data is keeping Danish companies busy these days – to a degree that Deputy Director Kim Haggren, who is responsible for DI’s work with the EU data protection regulation, has not seen before.
The penalties are severe, says Kim Haggren, but it is up to the courts to determine their enforcement.
“Realistically, one has to acknowledge that very few companies will be 100 per cent equipped to properly handle personal data by May. We therefore hope that authorities’ primary focus will be on guidance rather than sanctions if it is clear that the company is striving to handle and store personal data correctly,” he says.
However, this will require a new work culture at many companies and among individual employees, because many are not accustomed to handling personal data in such a structured and documented manner. Whole new routines for archiving data and cleaning up are necessary, and this means there are likely to be details not yet in place by May.
See also: DI - Send more 5G funding to Denmark
In recent months, the Confederation of Danish Industry has been in contact with over 2,000 businesses at nearly twenty member meetings. On these occasions, there have been plenty of questions about legislation, which isn’t always entirely clear-cut. Generally speaking, there are no major changes from previous rules. Rather, it is the sanctions that have been increased.
“There has been great interest and a whole lot of questions. The meetings have been necessary, because in many areas, the legislation is not particularly concrete, and our companies require more detailed information about what to do,” explains Kim Haggren.
In particularly serious cases where a company is found guilty of entirely disregarding the data privacy regulation – or selling personal data behind the backs of those involved, fines are in order, says DI.
See also: Danish companies are digital front runners in Europe
Another important factor is authorities’ handling of the rules compared to other EU countries. Ideally, there should be an overall harmonisation, otherwise it may affect competitiveness.
“It will cause problems if Danish authorities enforce the rules in a way that differs significantly from their colleagues in the rest of the EU. Enforcement must be harmonised across countries, but this will be made difficult by national particularities, such as Denmark’s CPR system, which must be integrated,” says Kim Haggren.
Read also: Learn how to digitalise with LEGO bricks and VR glasses
In their efforts to ensure compliance with the data protection regulation, companies often make use of external consultants and advisers.
In these situations, Kim Haggren recommends that companies prepare and delimit the task. Otherwise, they risk quickly running up a bill.
“It is necessary to do some prior legwork to gain an overview of what data you have, where it’s saved and so on. From there, you can use consultants for specific tasks within e.g. legislation, IT and work processes,” he advises.
According to the most recent survey among the members of DI’s Business Panel, three out of ten companies have opted to invest in external support to get ready for the new data protection regulation.
This is in large part due to the fact that many companies lack these competences in house. Consultancy services are therefore seen as a cheaper and easier option in comparison to hiring employees to solve the task on their own.
DI has developed tools for how to get started.
Five tips for personal data
1: Gain overview
Find out what information you have about employees, customers etc. Ask each department and map your IT systems. Next, you must ensure that you have a legally valid reason to store these personal data.
2: Clean up
Make sure to adopt deletion routines. The law says businesses are not permitted to save personal data for longer than necessary. How long is that? It depends on the specific situation, but in all cases it is forbidden to save data indefinitely.
3: Uphold rights
The individuals you have information about have a number of rights. You are obligated to provide them with certain information when collecting their personal data, and they have a right to insight and may file a complaint.
4: Implement security measures
You must ensure that personal data is sufficiently protected. You are required to implement technical security and organisational security measures. In addition, you must remember to inform the Danish Data Protection Agency within 72 hours if you experience a security breach such as hacking.
5: Document your work
You must be able to demonstrate compliance with the rules, explain how you fulfil the individual obligations in the law and keep record over your work with personal data.
Source: Kim Haggren, DI