17 March 2020
GDPR: Specific tips on how to avoid fines
Less than two years ago, the EU General Data Protection Regulation came into force and now many companies face fines. The judgements help concretise GDPR and with it the actions which your company has to take in order to comply with the regulation. It is therefore a good idea to place your GDPR efforts under scrutiny and we will provide you with some good advice as to how you can go about it.
Evaluate the risk and take action
A good place to start is a risk assessment where you look into which personal data you have, how they are processed and how big the risk is that unauthorised persons gain access to them. If you estimate that the data are not sufficiently protected, the next step is a clarification of which steps you need to take to increase the security.
Multi Factor Authentication, which also comprises a two-step approval, may be a relevant initiative. With a two-step approval, an extra step in the login process is added requiring a login on computer and mobile which we all know from the NemID app. In Hesehus, two-step approval is a step which we have decided to add to a number of accesses in the house such as login to Windows and VPN in order to increase the data security for our customers.
Have you already made a risk assessment or would you like to put your present assessment under the magnifying glass? Take a look at the Danish Data Protection Agency's guide to risk assessments on this page (Danish).
Create an overview of your external data processors
Companies often have a number of suppliers and third party services which either process personal data, which you are responsible for (e.g. an e-commerce supplier), or that give you access to personal data (e.g. Facebook). To ensure a sufficient data security, it is therefore crucial that you have created an overview of:
- Which external parties you exchange data with.
- How the data are transferred, processed and protected.
- If the data are transferred to countries outside the EU/European Economic Area – including Great Britain after 31 December 2020. Dive into the Danish Data Protection Agency's description of Brexit's influence on the transfer of personal data and get their advice as to how to best prepare yourselves.
- And last but not least, if data processing agreements have been entered with all of them irrespective of whether you are data responsible or data processor.
Have you remembered the social media?
Company pages on the social media such as Facebook and the data collected here are also covered by GDPR. It is therefore important to ensure that you have entered a data processing agreement with Facebook.
Get the Danish Data Protection Agency’s advice in connection with Facebook here.
ISAE 3000 – Seal of approval for data processors
Did you know that just like your customers are looking at the Danish Ø-label (Danish state controlled label for organic food), The Nordic Eco-label or the Fairtrade label, it may also be an advantage for you to look for an ISAE 3000 declaration from your external data processors. ISAE 3000 is an audit opinion documenting that a data processor is complying with the GDPR in certain areas. In Hesehus, we would like to provide our customers with extra security, and we are therefore, at the time of writing, working on the final phases in connection with our ISAE 3000 declaration.
Delete the data at the right time
Last, but not least, it is important that you have formulated and implemented a delete policy – this is one of the areas in which many fines are distributed. As a result, it is a good idea to include the delete policy in the data processing making it as easy as possible for you in practice to comply with the delete deadlines which you have specified.
If you need inspiration as to how you get started with a delete policy or how you quality assure your present policy, you may benefit from looking at the Danish Data Protection Agency's delete guide.
How to help our customers
In the capacity of our work with the requirements which GDPR imposes on data processors, we have built a strong knowhow and we are happy to help our customers to prepare an analysis of the personal data which we have in our possession through our solution. The analysis contains the following:
- Mapping of personal data and who has access to it – including third party integrations.
- Evaluation of present data processing procedures – including deleting, export and filling of data.
- Review of technical and organisational protection – including division of responsibilities in practice.
Based on the analysis, we prepare a report for you that includes documentation of the above items and recommendations to the possible steps which you may take to increase the data security further. In addition, we always recommend that based on the report, you enter into a dialogue with your own legal advisors and together with them prepare a final evaluation of which specific actions to take.
Do you need legal advice?
Did you know that FDIH (the Association of Danish Internet Trading) is offering its members free legal GDPR advice from lawyers at Bird & Bird? Learn much more about what it implies right here.
Are you a Hesehus customer?
And are you interested in having an analysis prepared of the personal data you posses through our e-commerce solution?
Please contact our Customer Relations Manager, Casper Bo Jørgensen at: +45 23 30 79 56 or write to cbj@hesehus.dk
Flere nyheder