The new inspection report from the Danish Data Protection Agency (Datatilsynet) is out. This is important for companies given the consequences of the last inspection Datatilsynet conducted. We’ll spill the beans on what you can expect from the new inspections below.
Before we dive into what the new round of inspections entails, let us look at what happened since the first round of inspections and why you need to take the new inspections seriously. If you cannot remember what it was all about, read our blog post.
Before the first round of inspections, a general conception was that “we will not experience an inspection. They’ll go for the big corporates”. This statement is far from what actually happened. Datatilsynet has conducted inspections across all company sizes (see more). And as we could see from the announcement of the final report from Datatilsynet, the organisations who were inspected still had problems with the non-manual handling of their clients personal data.
It is expected that the first cases will be filed to the police shortly based on these inspections. In terms of companies’ own reporting of data breaches to Datatilsynet, the final number were 2,780 data breaches declared – 600 of these are still undecided and could expect either a fine or a warning. And they can expect a supervision later on.
New inspections: What Datatilsynet will look for
Datatilsynet have announced the most important areas that they will investigate when they visit companies. Here are the three areas we found most important for your company.
Subject access request
In case you receive a request from a person about her or his data, you need to be able to answer such request within a month. The inspections will most focus on your ability to respond to these request and whether you are diligent in doing so. Remember, you are obligated to deliver ALL personal data on an individual.
Encryption of e-mails
Concurrently with getting up-to-date with how to ensure privacy, encrypting of e-mails is an area you should be aware of. Get a higher standard for safety measure by encryption on transmitted e-mails where confidential or/and sensitive information can be contained within. This can typically happen in customer service, where your closest contact is with customers.
Aggregation and comparing of data – B2B sales
Datatilsynet will keep an extra eye on private companies that resell personal data to third parties. If you sell this kind of data or buy this kind of data, be aware of the nature of the data. It may end up in GDRP breaches.
The known and unknown inspections
Datatilsynet will conduct two types of inspections. The planned and the ad hoc inspections. We already know the planned type. These are the same as with the first round of inspections. But ad hoc inspections are something you should pay additional attention to. Datatilsynet says the following:
“Ad hoc inspections are typical cases – Datatilsynet has an eye on themselves or when we receive tips from the public and/or the press – and where Datatilsynet decides that the relation is at a state where they have to file a case of their own…”. (source). This means that inspections may be trigged by subject access requests (customers and clients).
Datatilsynet has already received many inquiries and subject access requests from data subjects on this matter. As the matter of fact, a lot more than they were expected to receive. And they are reacting to this as we speak. So, if you think that your company could be the subject of one of these complaints, you better get your head in the game before Datatilsynet comes knocking.
If you desire to read more about the types of supervision and get more prepared, you can do so here (In Danish).