Første bøde fra Datatilsynet – hvad går det ud på?

Ulrik Nohr Ulrik Nohr,
I kølvandet på Datatilsynets mange tilsynsbesøg i løbet af efteråret, er den første politianmeldelse nu indgivet – det blev til en politianmeldelse og et bødeoplæg på 1,2 mio. kr. til Taxa 4x35! Hvad skete der? Den 25. marts 2019 offentliggjorde Datatilsynet, at den har politianmeldt og indstillet virksomheden Taxa 4X35 til en bøde på 1,2 mio. kr. for overtrædelse af reglerne i databeskyttelsesforordningen. 8.873.333 taxature blev gemt med personhenførbare oplysninger i længere tid end nødvendigt og uden sagligt formål. Taxa 4X35 indsamler data om kundernes ture i et system, hvor bl.a. kundens navn, telefonnummer og turen fremgår. I forhold til GDPR havde de fastsat, at data blev anonymiseret efter 2 år, men det var alene navnet på kunden, der blev slettet. Kundens telefonnummer fremgik fortsat, og denne oplysning blev først slettet efter 5 år. Da kundens telefonnummer er en personhenførbar oplysning, var der ikke sket anonymisering efter 2 år, og Taxa 4X35 kunne ikke påvise, at de havde hjemmel til at gemme oplysningerne i 5 år. Derudover konstaterede Datatilsynet, at tilgangen til sletning generelt var overfladisk og mangelfuld i selskabet. Alt i alt er der fire grunde for politianmeldelsen (link til udtalelsen): At Taxa 4x35 ikke har overholdt kravene i… Read More

Second round of hunting has begun

Ulrik Nohr Ulrik Nohr,
The new inspection report from the Danish Data Protection Agency (Datatilsynet) is out. This is important for companies given the consequences of the last inspection Datatilsynet conducted. We’ll spill the beans on what you can expect from the new inspections below. Before we dive into what the new round of inspections entails, let us look at what happened since the first round of inspections and why you need to take the new inspections seriously. If you cannot remember what it was all about, read our blog post. Before the first round of inspections, a general conception was that “we will not experience an inspection. They’ll go for the big corporates”. This statement is far from what actually happened. Datatilsynet has conducted inspections across all company sizes (see more). And as we could see from the announcement of the final report from Datatilsynet, the organisations who were inspected still had problems with the non-manual handling of their clients personal data. It is expected that the first cases will be filed to the police shortly based on these inspections. In terms of companies’ own reporting of data breaches to Datatilsynet, the final number were 2,780 data breaches declared - 600 of these… Read More

Expert tip: How to fill out and use GDPR templates in your company

Ulrik Nohr Ulrik Nohr,
So, you got a GDPR template package during the GDPR frenzy (If not – get ours here for free). By now, you know it’s a legal requirement to do something about personal data, i.e. GDPR… But - the templates you receieved look terribly boring. Moreover, what do you actually do with them? How do I input the right information the right places? What is my legal basis for collecting personal data? What is my legitimate use of personal data? At this point my guess is, you’d rather watch white paint dry than filling out GDPR templates. Do not worry: we got your back. In this post, we will provide some guidance and hopefully get you from the above outset to “Aaaah – that’s what it is…”. First, we will start with some general introductions to get the full picture, and then we will go into the specific templates. 1. Introduction The General Data Protection Regulation (“GDPR”) has entered into force throughout Europe and as a company, you should be dedicated to observe all relevant regulation. GDPR is all about personal data and how to safeguard it, minimize handling of it and have sufficient measures in place. The rules are important… Read More

The GDPR hunting season is open:
The Danish authority Datatilsynet has announced first shots will be fired

Ulrik Nohr Ulrik Nohr,
Datatilsynet (Danish Data Protection Agency) has announced the types of companies they are targeting first and on which grounds. It will be the first test of companies’ efforts to comply with the General Data Protection Regulation (GDPR). And it is happening as we speak. So, lets dive into how Datatilsynet will conduct their supervision and who will be the first companies to be audited. 27th of June became the day that Datatilsynet released their “GDPR supervision-plan”. The plan contains information about two areas: Which sections of GDPR are their focus? Which industries and institutions will they target first?   Mails from loyalty clubs and dating services are investigated Unless you’ve been sleeping under a rock, it has been almost inevitable to avoid the data bombing of your e-mail inbox – leaving it utterly destroyed, as companies wanted to renew your consent to receive information from them. This was a direct consequence of companies trying to comply with the GDPR. Datatilsynet describes the phenomenon as follows:  ”…tusindvis af danskere [oplevede, red.] at få fyldt deres indbakker med e-mails fra navnlig private virksomheder, der under henvisning til de nye databeskyttelsesregler enten bad om et (fornyet) samtykke til fortsat at kunne behandle personoplysninger… Read More

9 steps towards GDPR compliance

Ulrik Nohr Ulrik Nohr,
  The General Data Protection Regulation (GDPR) came into effect on 25th of May. We now live in the GDPR era where compliance needs to be as natural a part of your business as water is to fish. This doesn’t mean that transition is easy. Compliance is a long and close to a never-ending journey. We recommend that you divide the effort into smaller, doable steps and conquer them one by one. We wanted to collect some of the insights that we got when scouring through numerous reports on how to prepare and handle GDPR. So, we have compiled a list of 9 steps that you should tick off in your business. At the end of the article, we have provided all links to the reports.      1) Locate and map the personal data in your company Start to understand where personal data exists in your company? Hint: It’s everywhere. The top-four sinners are e-mails, file storages, Enterprise Content Management Systems (ECM) and cloud apps. Locating and mapping all personal data is a daunting task, so get the help you can. Make use of tools out there. And yes, we can help you with part of that automatically, but… Read More

GDPR snapshot: How ready are companies really?

Ulrik Nohr Ulrik Nohr,
Ok, so GDPR is one everyone’s lips these days. It’s not without reason. But there’s a lot of clutter out there. Do X, do Y do Z – where do you even start? The confusion can be frustrating. What we usually do when we feel unsure about a situation, we look to our peers to see how they are dealing with the situation.  Spoiler alert. They are doing the exact same thing as you – looking around for someone who’s doing a great job being GDPR compliant. The truth of the matter is that it is a rare sight to find a company that is GDPR compliant. Of course, there are companies that think they are compliant – but are they really? We compiled some GDPR statistics that can give you some comfort if you think you’re the only one not being compliant. We’ve also included some statistics about where personal data is located. The fact of the matter is: You can’t be GDPR compliant if you don’t know where the personal data are in your company.   Resources: Association for Information and Image Management Spice works SAS Read More