All companies, organisations and public authorities that store and process personal data will soon be required to comply with the new personal data rules. However, getting to grips with new legal text can be quite a complex matter.
Some companies devote a lot of resources to staying up to date and compliant with legislation, while others take a more superficial approach and a few choose to completely ignore it or simply overlook it. But failing to adhere to adopted rules and laws can be just as complex and confusing – not to mention expensive.
The EU has drawn up new, stricter rules for the processing of personal data that will have a significant impact on all Danish companies. Do you also find it hard keeping up with current and new rules? Are you unsure how your business is preparing for the new initiatives? Then read on.
Personal data protection in brief
In 2015, the Data Protection Agency presented a number of new minimum requirements for the processing of data by the personnel administration of companies. In April 2016, new EU rules on personal data were adopted – and it is these rules that will come into force on May 25, 2018.
But what is the nature of the rules? In short, they concern how the company processes personal data. That means:
- How is the data collected?
- How is the data used and shared?
- How is the data deleted when it is no longer needed?
When we talk about personal data, it can be divided into two categories: sensitive data and ordinary, non-sensitive data. How data should be processed depends on which category it belongs to.
Type of data
”How the different types of data should be processed depends on which systems you have,” says Lisbeth Lindorff Riis, Head of HR Legal at Azets.
How should you prepare for the new personal data rules?
”Taking the right precautions and making adjustments to regular working procedures is important because a violation of the new EU rules could end up costing up to 4% of the company’s global turnover”, stresses Lisbeth Lindorff Riis.
Below, we have compiled a number of tips on how to adapt the company to the new rules.
Personal data must be prioritised - including by management
The new rules will place greater demands on the company’s processes. The increased quantity of documentation will require the drawing up of written guidelines, procedures and policies on how personal data is processed.
Thus, successful alignment with the new rules requires prioritisation of:
- Time and resources for developing written guidelines
- Clarification of the current situation
- Planning for competence development
- The need for investment in systems
- Ongoing follow-up on compliance with the rules
Clarify the data handling process
Efficient IT systems will not do on their own. Staff must also know how to use them – and what they should not be used for. Most importantly of all, it must be clarified how personal data – for example, relating to applicants or to past and present employees – is processed. it is therefore recommended clarifying the following:
- What kinds of personal employee data may be processed?
- How can the personal data be processed – and for how long?
- Which employees are allowed to access the stored data?
- In what cases must employees give permission for their data to be used?
- How is data such as the e-mail accounts of former employees processed?
- Is it permissible to publish data on intranets or websites?
- To what extent can companies monitor employees’ email and internet use?
- In what cases should you report personnel administration to the Data Protection Agency?
Competence development in focus
Furthermore, it is important to focus on further developing the responsible employees’ competences. They must always be up to date with the latest rules, be superusers of the systems in question, and ensure that everything is properly documented and/or that all rules are complied with.
”If there is no control over the processing of personal data, it can have major consequences for the company. So it is extremely important that management gives the employees the right qualifications for the job,” says Lisbeth Lindorff Riis.
Keep track of data with IT
Both large and small companies quickly acquire a lot of data. As a company, it is important to invest in a system that not only keeps track of all the data, but also provides documentation for the authorities that you are compliant with all relevant regulations.
For example, this might be a system that assures and documents your legal basis for collecting personal data.
Do you need help mapping your current situation, creating a strategy for complying with the new EU legislation, or perhaps drawing up an effective follow-up programme for implementing the new systems and processes? Then get in touch with Azets to arrange a meeting where we can evaluate your current situation and how you can ensure that you comply with the new rules on the processing of personal data.
Want more information?
You are always welcome to give us a call. If you want us to contact you, fill in the form and we will contact you as soon as possible.