Most Frequent GDPR Questions Answered by our Experts

Most Frequent GDPR Questions Answered by our Experts

Six years have passed since GDPR came into full effect. What have been the most frequent questions among our clients?

How can we work with personal data protection? 

To create a proper level of data protection with an organization these relevant measures are recommended:

Create a Data Protection framework – The company needs to have a data protection framework that clarifies what needs to be done and how it should be done. The framework includes internal steering documents, instructions, templates and clear processes for the daily work. All organisations need to start with a Data Protection Policy that provides the strategy, ambition and overall guideline on the processing of personal data within the organisation. This sends a message of awareness and that the organisation takes these matters seriously. Then the organisation needs to have clear instructions, procedures and templates, on how personal data is being processed and how the demands in the GDPR is met.

Training and Awareness – All employees including management needs to be presented with a data protection and security training program, the program should be updated and presented regularly.

Access Controls – The access of personal data needs to be monitored and controlled.

There is much more that needs to be done when it comes to data protection work. However, if you choose one take away, it is the importance of knowledge within the organization when it comes to where the responsibility lies and identify where the biggest risks are located. Systematic and continual privacy and data protection require both knowledge of the GDPR and commitment from the organization’s management. Compliance with the GDPR therefore requires coordination at several levels in the organization. By investing resources and prioritizing, management defines the framework for the organization’s data protection work. All employees need to be aware of their role, their responsibilities and the importance of their individual work in order to create a well-functioning data protection program throughout the organization.

How should we work with the risks we identify in our day-to-day data protection practice?

We cannot stress enough how important it is to reach for compliance with the GDPR on a daily basis. Therefore, you need to define and be aware of who is responsible for the data protection work within the organization and which areas and which risks, that should be a priority.

This is something many organizations are struggling with, and we therefore want to clarify a few things.

Who is responsible for data protection risks within the organization?
In order to have an efficient data protection organization and work in a sustainable way with privacy matters, meaning not to work in a financially or socially costly manner, you need to ensure that your organization has a clear distribution of roles and responsibilities.

Board of Directors and Management – The Board of directors and the Management within the organization need to set the direction and the strategy for the data protection practice. The direction and strategy should be set as quickly as possible and will determine the path of the company´s level of personal data protection in the future.

Employee – All of the employees play a highly important role concerning the data protection work throughout the business. Everyone in the organization must learn how to practice personal data protection on a daily basis.

Third parties – If the company has third-party vendors or cloud service providers, the vendors or service providers must have proper security measures in place to protect the data. This needs to be specified in a Data Processing Agreement between the parties.

To summarize, the formal responsibility for protecting personal data lies with the Board of Directors and the Management, but there is also a need for awareness with everyone in the organisation. Everyone needs to contribute in order to ensure that the data protection strategies work effectively and that the company works with privacy in a sustainable way.

What is a DPIA – how is it done and why is it needed? 

The quickest answer to the question “What is a DPIA?” is as follows.

A DPIA is an assessment of the consequences, or possible consequences, of processing personal data. Even if that is a quick answer to the question – it does not mean that the DPIA is not complex.

A Data Protection Impact Assessment (DPIA) is required under article 35 in the GDPR every time you begin a new project that is likely to involve “a high risk” when it comes to personal data. Some examples of situations that require a DPIA are – if you are using new technologies, if you are tracking people’s location or behavior or if you are systematically monitoring a publicly accessible place on a large scale.

The DPIA is conducted throughout several steps. You need to do a systematic description of the envisaged processing operations and of the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller. Furthermore, you need to do an assessment of the necessity and proportionality of the processing operations in relation to the purposes, and of course you need to do an assessment of the risks of the rights and freedoms of the data subjects.

The main purpose of the DPIA is to protect the data subject from risks. Therefore, you need to, in the assessment itself, decide whether the risk is proportionate in relation to the purpose of processing the data, which tends to be a difficult question to answer.

In addition, the DPIA is used to demonstrate compliance with the GDPR in the event of a possible audit from the data protection authorities (DPAs). Therefore, and of course for the sake of personal integrity and building sustainable privacy, you need to shape an organization that works continually and systematically with data protection through, among other things, the DPIAs.

Do we need to notify the DPA if there has been a personal data breach?

There is no simple answer to this question unfortunately; a personal data breach requires a case-by-case assessment.

The main rule is that you must notify the DPA if it´s not unlikely that the data breach poses a risk to the freedoms and rights of natural persons. The timeline for reporting to the DPA is within 72 hours from when the data controller became aware of the breach. This implies that you, as quickly as possible, need to assess the potential negative consequences that the breach may bring on the data subject. The factors which are relevant while looking at the risk and effect of the data subject are many. You need to consider situations that can result in physical, material, or non-material damage. This can include loss of control over personal data, limitation of rights, discrimination, identity-theft or fraud, financial loss, damage to reputation and loss of confidentiality of personal data protected by professional secrecy. It can also include any other significant economic or social disadvantage to those individuals. Therefore, you need to carry out the assessment with a broad perspective on what the “risk” may bring.

In the assessment you should consider the following:
– how serious and significant the risks are, and
– how likely the risks are to occur.

Also a few different factors must be taken into consideration, to name a few:
– the nature, the sensitivity and volume of the personal data,
– how easily the data, directly or indirectly, can be used to identify an individual, and
– that the consequences of a personal data breach can be considered particularly serious if the incident risks leading to, for example, identity theft, fraud or damaged reputation.

If it is likely that the personal data breach will entail a risk for the data subject, you must report it. In situations when the personal data breach is likely to lead to a high risk for the rights and freedoms of the data subject you must also communicate the breach to the data subject, without undue delay.

So, it is crucial to perform and document a thorough assessment and, once again, there is no easy answer to the question. You have to, case-by-case, look carefully at the breach and analyze the risk that may occur.

We are planning to start using a new smart service that processes personal data – are we allowed to do that?

The following list summarizes the most central parts of the integrity work you need to do, to be compliant with GDPR and to contribute and to protect individuals’ integrity and privacy.

Legal basis – You must have a valid lawful basis to process personal data. There are six available lawful bases for processing. Which basis is most appropriate to use will depend on your purpose and relationship with the individual. You find them in article 6 in the GDPR.

Transparency – Transparency is a core principle in the GDPR, and it affects several essential areas. It mainly affects how businesses interact with data subjects and gives them a right to information, which means you have to inform the data subject about a lot of things before you process the data. You will find more about the transparency requirements in articles 13-14, GDPR.

Purpose limitation – legitimate and specified – Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Read more about the purpose limitation in article 5.1 b, GDPR.

Data minimization and storage limitation – Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed. This means that you should not collect and process more data than necessary for the purpose. The period for which the personal data is stored should also be limited to what is necessary for the purpose.  In order to ensure that the personal data is not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Read more about data minimization and storage limitation in article 5.1 c and 5.1 e, GDPR.

Accuracy - You must ensure that the personal data is accurate and kept up to date. This means that you must take every reasonable step to ensure that the personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified. Read more about accuracy in article 5.1 d, GDPR.

Security measures – You must make sure that you process personal data in a manner that ensures appropriate security and confidentiality. This means that you should include protection against unauthorized or unlawful access to personal data and make sure the service is using appropriate technical and organizational measures. Read more about security measures in articles 5.1 f and 32, GDPR.

Documentation – Before using the new service you probably need to do some assessments. These are important to complete in order to not only assess compliance with the GDPR, but also to be able to evidence your work as a data controller in the event of a possible audit from the DPA. Read more about the accountability principle in articles 5.2 and 24, GDPR.

The most common assessments are;
– LIA – Legitimate Interests Assessment, article 6.1.f GDPR.
– TIA – Transfer Impact Assessment, article 46 GDPR.
– DPIA- Data Protection Impact Assessment, article 35 GDPR.

ROPA- You should also ensure that the new processing activity is included in the Record of Processing Activities (ROPA). Read more about the ROPA in article 30 GDPR.

Cecilia Frank

Director, Data Privacy

Pia Rosengren

Partner & Head of Data Privacy