When doing business in Denmark, your business is likely to be a so-called “data controller” – primarily if you have employees. However, your business might also become a “data processor” if a core part of your business is to handle personal data from other companies. Examples could be bookkeeping companies or IT-companies processing personal data for others.
Your obligations vary depending on whether your business is classified as a data controller or data processor.
The practical GDPR-challenges when dealing with human behavior
In practice, it is our experience that most companies are very GDPR-aware on a strategic level. Usually businesses will have all the relevant documents, inventories, and GDPR plans prepared and approved on the higher levels of management. The real challenge, however, is the practical implementation; the art of actually getting employees to understand the significance of complying with a wide variety of new security routines on personal data protection. We have been successful in taking the strategic GDPR-documents and transforming them into every-day behavior with our clients. But it takes know-how on both a legal- and behavioral level.
Aside from the behavioral issues, we know that the major challenges businesses in Denmark experience, is completing a full inventory of all their various IT systems and tools. It is relatively easy to complete an inventory of your business’ main ERP system but what about all the various tools your organization is using? If your business is anything like ours, you will be using a wide range of the following: CRM/marketing tools; Mailchimp, Active Campaign, HubSpot. Task management tools; Anything from OneNote, Slack, Monday.com, to Trello. Do not forget to include these in your GDPR-analysis.
You need to be able to document and disclose the following if the authorities come knocking:
An internal inventory of your IT systems:
- which personal information you have in the different IT systems,
- what is the purpose of obtaining and handling personal information,
- the legal basis for processing personal data,
- which internal users have access to the personal information (you are obligated to minimize the number of internal users with access),
- which external companies / persons / programs receive the personal data of your customers and employees? (and are these external companies GDPR Privacy Shield compliant if they are in non-EU locations?)
- what is the legal basis for sharing such personal data with these external companies / persons? (if you don’t have a clear cut right under the Act you are not allowed to share the info at all),
- whether the external companies / persons are within the EU / EEA or not – and in the latter case, what is the legal basis to disclose personal data to them,
- when the personal data is deleted (and practically: by whom and how?).
Is your business 100 % ready for a surprise inspection by the Danish Data Protection Agency?
Let us be honest. Of course your business is not 100 % ready for a so-called “dawn raid” (surprise inspection) by the authorities. No business is.
However, with our help you can get to 95 %, which should keep you away from GDPR-breaches, large fines and loss of reputation.
The Danish Data Protection Agency (Datatilsynet) is the competent authority in Denmark for monitoring compliance with GDPR rules. They are advising, guiding and handling complaints and inspections of authorities and companies.
If the Danish Data Protection Agency carries out a surprise inspection, e.g. in relation to a potential data breach, you need to be able to provide them with the internal information on data handling described above.
In addition, your business needs to document that your employees have received instructions – and regular training – on personal data management.
During an inspection, you would be required to document how you inform your customers of your data collection. This needs to include the customers’ rights in relation to the collected personal data, as well as the purpose of processing their data.
We know that getting to the mythical state of being “GDPR-compliant” in Denmark might seem like an impossible task. However, at Ret&Råd, we have lawyers who specialize in GDPR and are ready to help you quickly and easily through your GDPR-implementation in Denmark. We understand that your business needs practical solutions to its legal challenges – including GDPR.
Contact attorney-at-law Nicholas Ørum Keller, phone +45 46 30 46 82 or e-mail email@example.com.