The EU has just adopted the Personal Dataprotection Reform which can bring fines of 4% of turnover or 20 million EUROPersondataforordningen er en lov alle skal overholde ellers er der bøder på 4% af omsætningen eller 20 millioner EUROS

in BRIEF: in December 2015 the Council and the European Parliament reached an agreement on the draft regulation. April the 8th 2016, the Council adopted its position at first reading. The draft regulation was adopted by the European Parliament 14th of April 2016. It will thus have a legal effect at the beginning of 2018. All companies throughout the world are affected, if they want to store, transport or process personal data about European citizens.

The EU COMMISSION’S INTENTION: the draft regulation updates and modernizes the principles of the data protection directive from 1995 by providing individuals rights and obligations upon those who process data and/or responsible for data processing. It also establishes which methods are safe and that the rules are in compliance, and furthermore the scope of sanctions against those who violate the rules.

What is COVERED: personal data as under the previous law, now with the addition of personal genetic data (for example, DNA) and biometric data (such as fingerprints). In addition, it introduces the concept “pseudonymous data”, which is a way to handle personal data, where the data and associated information that helps to identify the people behind the data, are kept separate.

Who is COVERED: All EU citizens and especially for children: the consent of children’s personal data be regulated separately from adult’s regulation, children under the age of 13 are not able to give consent to the processing of personal data in connection with online services such as f.eks. games, children portals and for instance. App-stores, etc. In addition, there will be introduced a requirement that there be carried out so-called “Privacy Impact Assessments” in a number of situations where the processing of personal data may involve special risks for the individual.

24-72 HOUR OBLIGATION: under which notification of serious data breaches must be made within 72 hours to the national surveillance data. Both companies and authorities should in future ensure that personal data protection rules are complied with, as well as documenting that this is done by means of internal procedures and privacy policies which also referred to Privacy By Design and Privacy by Default.

All companies, traders, providers and intermediaries must comply with Data Protection and this privacy regulation reform

These new data requirements for all can be an expensive if personal data protection are not complied with. Rekrutteringsfirmaet A/S and VERIO ® provides consultants who can certify enterprises via VERIO ® FAST TRACK certification scheme as established review of how the data files that contain personal data effectively protected in relation to law. Also Rekrutteringsfirmaet A/S can provide and extensive analysis of the value of the security systems as we have around 120 IT Engineers, who online with or hopefully not without logins can scan your networks and make diagrams according to the regulation and for the client as a whole, to point out weak or outdated security, encryption, LAN/WAN/SAN systems, login systems and remote access. It is the data collector who in the future is entirely responsible. And that responsibility is now placed at the source, and the national Data Protections agencies is in the future the ones you have to call within 24 hours after a data breach is discovered.

The real legislation must be complied with by any company and institutions and deals with these facts;

  • To be paid 4 percent of revenue or 20 million euros in fines IF personal data protection be overridden
  • This new already adopted regulation on citizens ‘ digital protection will apply to the whole of the European Union throughout the EU legislation applies to both authorities, citizens and businesses who keep personal data
  • Privacy Regulation/Legislation is ALREADY adopted in the EUROPEAN UNION and shall enter into force on the 2018
  • It may take up to 1 year to implement new technology, why it may be too late to start on the changes in 2017

EU intention in this overall privacy regulation is:

  • to all citizens and/or users MUST provide specified consent to what data and how similar data can be used to give citizens and/or users a better digital protection against abuse
  • also “recycling” of personal information for purposes which are not apparent from consent creating a well-defined legal legislation which can be awarded to any fines at the beginning of 2018, which do not comply with the guidelines.
  • make it easier for businesses because there will only be one set of rules for the entire EU.

Consumer transparency can be a nightmare for data security

From now on will be applicable to see Regulation personal data from the EU Commission to any type of registered users may require to see the data that companies have collected. This can be difficult to comply with and we predict that the regulation in its entirety will come under enormous pressure, because it most likely will not be possible for thousands of companies to show what data they have about each user.

Also, it will not be possible to display all user data without these, of course, is easier accessible via security holes, and more. This may mean that the regulation, which aims to protect citizens, contrary intention, instead, have the power to even more data break-ins, exposes more personal data than before the regulation was introduced.

Only this, due to the fact, that companies must find a way to meet the requirements, so that the data collected can be displayed via the Internet. The databases it coming to be created must be protected extremely well, in order to oppose the hacking.

At the same time, it is such that it is commonly known that data from various types of industries will be known and therefore obvious hacker targets even before the regulation is legally binding for all EU businesses.

The purpose of creating peace of mind can be turned into anxiety

We therefore believe that the European Union’s intention to create peace of mind can be a threat of abuse for the part of the citizens of the European Union. Already there are major problems with data security, because any phone is open to interception of conversations, sms, apps, passwords and the like in accordance with the unveiling of the program “60 Minutes.”

Because of this, consumers will be reluctant to buy/register and submit information on the Internet.

Unfortunately, this will hurt the whole EU competitiveness is our assessment. The EU Commission has the meaning. The present intentions of the vision that the regulation will create: new digital marketplaces as umbrella portals for peace of mind and protection of user information.

For this I think that legislation is pierced by convergence based Applications APPS, Plugins and uses terms that means that users are reluctant to give its consent to why there so consequently will be fewer who use APPS, Software, Portals and facilities on the Internet which can provide social savings and at the same time support the growth of the digital services.

This has significance for the billion turnover as the whole market for APPS and Digital services. Free applications such as Google and payment-based Apps such as games, services and even Open Source Software and general license based software will probably be able to notice a slowdown. That is our estimates and same outcome we will see coming from many other risk advisory firms and business analysts.

A jungle of consents and contracts can scare users

Privacy regulation provides a fundamental right for users of the Internet. But huge requirements for businesses and organisations to adopt it policies for data security, and as part of the regulation, the European Commission called for a user system with an unambiguous consent.

As it is today, we are forced to say YES to cookies to use even the most basic Web sites. Once you have clicked YES to cookies by the least what they have said yes to … and thus not to the consequences, or know what the corresponding accept and thus sales-and delivery conditions and representations concerning privacy, cookies, and terms of use actually covers.
Privacy regulation already adopted now, requires that companies or organisations must be 100% sure that the user has given a consent on both collection and use of delivered personal data.

  • How it can be administered in practice the EU Commission says nothing about
  • How safety could be guaranteed, achieved or complained EU Commission says nothing about
  • VERIO ® Privacy By Design and Privacy by Default fast track certification in personal data can certify legal regulation that personal data of the regulation conditions are adhered to.

Many Service Providers, banks, APP developers, Cloud Services, software systems and user licenses must also be made by the supplier. But who is going to pay a fine if it still is not clear if ex. Microsoft reseller provides delivers a service to a customer. Is it the retailer or the manufacturer. This we expect to be clarified about those kind of issues after the summer.

Ease of use by operating the computers, phones, ipads and Pcs can be set back for decades or get a worse position than at the beginning of the 90s is our fear.

We recommend you first of all, to contact one of our consultants, we will then send free recording sheets. At those sheets there will be the data which is a subject to the legislation, which includes:

  • what data is used for
  • which user statements associated with
  • how data is used by the company or government and by whom, where, when and why
  • risk analysis of storage, operation, servers, mirrors, backup and integration, it can be HR video, research results, statistics on user habits e.t.c.
  • Online it has to be possible for the user to use LOGIN systems internal and external systems so that any data that is registered can be deleted and modified.
  • Specify the new consents on the basis of the listed. Data can be on multiple servers in multiple departments and internally/externally.
  • Clear legistation between US/EU according to the ongoing negotiation betwen those parties
  • VERIO PLAN for implementing the processes and control measures to ensure against the risk that violates the regulation

There is only one alternative to this EU privacy regulation

If companies and organizations completely stops to collect users ‘ information, they will not be covered by the EU Commission’s privacy regulation. But this can lead to:

  • a worse user experience that requires far more time at each site, software or APP.
  • Daily retyping of simple simple information such as email address, language, and credit card codes, etc.
  • Other information is such a thing as statistics, procurement statistics, lists of all kinds, preferred information and personal preferences to be reentered from time to time

It is now ALL must respond if you want to avoid fines for next year. Many think, that it’s too short time for bigger organisations, but it is now active within the laws which we all have to follow.

The EU Privacy regulation covers producers, dealers, NGO organisations, retailers, shops, advisers, provision based sellers, intermediaries and any publishing company, shop or services on the Internet.

Privacy regulation will clearly and indisputably gives more costs to all parties, also companies outside the EU if they inteend to continue to deliver goods to the EU

New user declarations, consents and conditions will result in costs to agile development and Service Design will cost billions of dollars.

We guess about 150 billion euro in costs which go to agile development, Service Design and management of new user statements, new Service Design interfaces where the user data must be transported from service to service or domain to domain or company to company. Brand new Service Designs acceptance routines and administration of these, and there is even suggestion that consent is limited in time, so that the user periodically must reiterate its acceptance.

There may be many more issues as there are no compliance to say WHO is using your computer, when there are family’s computers or multiple users or multiple users at your company’s address. One or more users can therefore give conflicting permissions as in practice may mean a user policy per login.

Privacy regulation requires a responsible Data Officer

An innovation in this regulation is that the requirement for the appointment of a data protection officer (DPO) in the businesses that handle large volumes of customer or citizen data. All public companies must have a DPO.

The DPO can be employed in the enterprise or external consultant. Decisive is the fact that the DPO shall be able to operate independently of the company’s interests and shall refer both to the company’s executive management team and also be the contact person for customers and partners, as well as each National Data Protection Agency, who is responsible for the control of the regulation.

It will also be up to the DPO to keep track of whether the company complies with the provisions on personal data protection and to ensure that the employees who are in contact with these, are trained in handling and correct security in doing so is effectively active.

Service Design with “privacy by design” and “Privacy by Default”

The Commission is also working with the concept of  ‘privacy by design’, which means that personal data protection must be fundamentally embedded in any system architecture and design.

A similar concept is ‘privacy by default ‘, which means that personal data may only be stored as long as it is relevant to the application.

It means that IT systems can not only accumulate personal information for future use, but must delete these, when they are collected for, is over. No data must be available for BI (Business Intelligence software) and other log/event/behavior analysis software.

Compliance with the basic privacy rules could prove to be extremely costly for small and medium-sized enterprises, who can be asked to demonstrate how privacy rules are complied with throughout the system development in any part of the organozation in any country. The requirements can be complicated by the frequent use of subcontractors to handle both data and parts of the system development.

Companies can also, however, see an opportunity to live up to new requirements and through a certification from the EUROPEAN UNION could show consumers that there is a handle on it with personal data, and that users data is in safe hands.

The lawfulness of the processing of personal data must be documented. Any failures to do so, will have economic consequences for both the industry and the government.

 [vc_row][vc_column][vc_column_text]KORT FORTALT: I december 2015 nåede Rådet og Europa-Parlamentet til enighed om udkastet til forordning. 8. april 2016 vedtog Rådet sin førstebehandlingsholdning. Udkastet til forordning blev siden vedtaget af Europa-Parlamentet 14. april 2016. Persondataforordningen vil således have en lovgivningsmæssig effekt i Maj måned 2018. Samtlige virksomheder og udbydere i hele verden er berørt, hvis de vil opbevare, transportere eller behandle personlige data om europæiske statsborgere.

EU KOMMISSIONENS INTENTION: Forordningsudkastet opdaterer og moderniserer principperne i det gamle databeskyttelsesdirektiv fra 1995 ved at fastsætte fysiske personers rettigheder og forpligtelser, der påhviler dem, som behandler data og/eller har ansvaret for databehandlingen. Det fastlægger også, hvilke metoder der skal sikre, at reglerne overholdes, og anvendelsesområdet for sanktioner mod dem, der overtræder reglerne.

HVAD OMFATTES: Persondata som under den tidligere persondatalov, nu med tilføjelse af genetiske data (for eksempel DNA) og biometriske data (for eksempel fingeraftryk).  Derudover introduceres konceptet “pseudonyme data”, som er en måde at håndtere persondata, hvor dataene og de tilknyttede informationer, der er med til at identificere personerne bag dataene, holdes adskilt.

HVEM OMFATTES:  Alle EU borgere samt specielt for børn: Samtykke fra børn vil under persondataforordningen blive reguleret særskilt fra voksne hvorfor børn under 13 år ikke kan give samtykke til behandling af persondata i forbindelse med online-serviceydelser som f.eks. spil, børneportaler og f.eks. appstores m.v. Derudover indføres der krav om, at der foretages såkaldte “Privacy Impact Assessments” i en række situationer, hvor behandlingen af persondata kan medføre særlige risici for den enkelte.

24-72 TIMERS UNDERRETNINGSPLIGT: hvorefter underretning om alvorlige brud på datasikkerheden skal ske inden for 72 timer til de nationale datatilsyn. Både virksomheder og myndigheder skal fremover sikre, at persondatabeskyttelse reglerne overholdes samt dokumentere, at dette sker ved hjælp af interne procedurer og privatlivspolitikker som også omtales Privacy By Design og Privacy by Default.

FASTANSATTE OG KONSULENTER TIL SIKRING OG DOKUMENTATION: VERIO® & TALENT FINDER® c/o Rekrutteringsfirmaet A/S er DK’s første med dedikerede fastansatte og konsulenter til denne lovgivning. Vi tilbyder også en FAST TRACK PERSONDATA CERTIFICERING samt GRATIS checklister så intet glemmes. Læse mere herunder.




Danske virksomheder skal skynde sig hvis det skal nås

Vi snakker promiller af de danske virksomheder som har taget hul på at løse de lovgivningsmæssige udfordringer hvor især starten af 2018 vil vise hvor mange der er kommet med.

[x_blockquote cite=”Direktør Michael Rasmussen, Rekrutteringsfirmaet A/S” type=”center”]

“Nye analyser i EU viser at kun få er startet og det kan blive meget dyrt hvis ikke man starte allerede i år, for det kan tage 1-2 år at implementere i større organisationer”

“Kun få virksomheder har analyseret egne data, platforme og de egentlige krav og alle har nu har krav på at få oplyst hvilke data enhver virksomhed ligger inde med samt at få dem rettet eller slettet”

“Selve analysen af risici ved at behandle og indsamle data og hvor disse data ligger i hvilke afdelinger, lande og hvordan de transporteres og bruges og hvilken anledning man har til at samle data, skal kunne dokumenteres, ellers brydes loven”

“Kravene til virksomhederne er store og derfor skal de i gang nu med at implementere løsninger”.


Krav om særlig DPO databeskyttelsesrådgiver

“Allerede nu skal mange virksomheder samt alle offentlige virksomheder udpege en databeskyttelsesrådgiver (DPO, Data Protection Officer). Det er nemlig også et krav i den nye forordning, såfremt virksomheden eller organisationen varetager store mængder persondata.” slutter Michael Rasmussen.

Start nu og vær klar til tiden

Bøder på 20 millioner euros eller fire pct. af omsætningen er konsekvensen ved ikke at være klar.

Det er entydigt at virksomhederne nu skal skynde sig med de indledende trin:

  1. Være bekendt med den nye lov og lære deres medarbejdere om informationssikkerhed og uddanne alle i organisationen om dette
  2. Udpege en databeskyttelses rådgiver (DPO, Data Protection Officer) for offentlige virksomheder og de private virksomheder som er berørt
  3. VERIO® holder kurser i Persondataforordningen der allerede er godkendt og træder i kraft henholdsvis 6 og 24 maj 2018.

Der kræves følgende i Persondataforordningen

  1. En DPO Data Protection Officer skal udpeges i alle offentlige myndigheder og private virksomheder som er omfattet af forordningen
  2. Virksomheden eller organisationen SKAL kunne dokumentere, at man overholder reglerne
  3. Brugeren har ret til at se hvilke data der er indsamlet hvornår og hvordan, samt ændre eller benytte retten til at blive slettet
  4. Stærkere krav til samtykke dokumentation
  5. Krav om privacy by design og privacy by default hvilket involverer hele virksomheden eller organisationen
  6. 24-72 timers pligter til at orientere Datatilsynet
  7. I nogle tilfælde også de registrerede i tilfælde af datasikkerheds brister (hackerangreb mv.)
  8. Udbydere skal have forældresamtykke for at kunne oprette oplysninger om børn under 13-16 år. Medlemsstaterne kan vælge at sænke 16 års kravet til 13 år
  9. For multinationale koncerner og grænseoverskridende persondata transaktioner skal der dokumenteres med et selvstændig dokumentation for alle lande


VERIO® laver det hele for dig

Persondataforordningen har et meget bredt anvendelsesområde, der omfatter alle virksomheder og organisationer samt alle offentlige myndigheder. Der er undtagelse for politi, efterretningstjenester og anklagemyndigheder. VERIO® anbefaler at du snarest kommer i gang med arbejdet for det kan tage op til 2 år og implementere og lovgivningen har effekt fra starten af 2018.

Indhold af VERIO® 10 punkts programmet:

  1. VERIO® foretager en overordnet risikoanalyse baseret på den konkrete IT Politik, datastrømme, opbygning af hjemmeside og de interne netværk herunder om data overskrider grænserne
  2. VERIO® laver en juridisk analyse af, hvilke ændringer i forordningen, der berører jeres virksomhed
  3. VERIO® udarbejder to do lister der kan fordeles til de enkelte afdelinger eller personer
  4. VERIO® udarbejder relevant undervisning og process diagrammer for hvor og hvilke personoplysninger, der behandles i organisationen og kortlægger hele processen på tværs af firmaet og/eller landegrænser
  5. Såfremt virksomheden laver forskning skal der laves en kortlægning af de data som er indhentet både fortidigt og fremtidig plan for dette
  6. VERIO® laver analyse af risici for datasikkerhedsbrister, ulovlige behandlinger, unødige ophobning af oplysninger og data tilknyttet til personer
  7. VERIO® gør det muligt at efterleve reglerne i praksis
  8. VERIO® udfører en BIG DATA analyse for kortlægning af logfiler og det alene vil ofte kunne generere en målbar merværdi ved at skabe et overblik over uudnyttede data
  9. VERIO® laver et specificeret tilbud med angivelse af de ressource som skal benyttes. Disse kan så hyres som fastansatte eller konsulenter via VERIO®, Talent Finder® eller Rekrutteringsfirmaet A/S.
  10. VERIO® laver en process kortlægning der inkluderer datastrømme fra/til;A) LEVERANDØRER

Samlet pakkepris for ovenstående koster kr. 50.000 – 250.000 afhængigt af ressourceforbruget, antallet af audits og herunder om eksisterende medarbejdere har de fornødne kompetencer.

Udbytte udover at overholde gældende love

Det kan ud fra ovenstående komme på tale at genforhandlinger og/eller modificeringer af aftaler og/eller opsigelser af aftaler fordi disse måske ikke opfylder de nye krav og og der kan forekomme en risiko for at din virksomhed kan få bøder som følge af uafklarede aftaleforhold med leverandører eller uklare aftaler inden for server hosting, it outsourcing, backup og lokal netværksdrift.

Persondataforordningen indeholder mange krav, og VERIO® sikrer en FASTTRACK certificering, dokumentation og klarmelding ud fra ovenstående. Det kan være dyrt at undlade at gøre noget.

EU lovgivningen flytter kontrollen væk fra de lokale myndigheder og ud til virksomheden selv og denne berører alle ikke blot i EU, men hele verden hvis data gemmes, behandles eller distribueres i EU.

EU-domstolens har afgivet afgørelser i flere sager, blandet andet i Schrems (Facebook/Safe Harbor-sagen) og Digital Rights (om logningsdirektivet) og databeskyttelsesområdet er underlagt vidtrækkende juridiske krav. At kunne efterleve disse krav stiller store krav til alle virksomheder og offentlige institutioner.

De fleste af vore klienter vil dog kunne se en fordel i samtidigt udrulning af BIGDATA projekter som kan give en betragtelig merværdi for de fleste virksomheder.

Men et er sikkert, alle virksomheder SKAL implementerer og ikke mindst dokumentere at man kan oplyse om indsamlede data hvornår og hvordan, at man kan ændre i disse samt at man kan slette disse data. Dette skal udbydes på firmaets hjemmeside og indarbejdes i nye brugerlicenser m.v.

Man bør huske på at man alene har opfyldt lovgivningen i persondataforordningen hvis dokumentationen herfor er gennemført.

Ansvaret er entydigt dit. For med forordningen er ansvaret endegyldigt, ikke blot for reglernes efterlevelse, men også efterprøvelsen og dokumentationen heraf flyttet VÆK fra Datatilsynet og ud til de enkelte dataansvarlige.

[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][TS_VCSC_Team_Mates_Standalone team_member=”7790″ custompost_name=”`{`:da`}`Michael Rasmussen`{`:`}`” style=”style2″ show_dedicated=”true” show_skills=”false” image_style=”imagestyle3″ icon_style=”circle” icon_hover=”ts-hover-css-pulseGrow” css3animations_in=”Pulse Grow” icon_frame_thick=”4″ margin_top=”4″ margin_bottom=”4″][/vc_column][/vc_row][vc_row][vc_column][vc_single_image image=”7779″ img_size=”full” add_caption=”yes” onclick=”zoom”][/vc_column][/vc_row]

[x_recent_posts type=”post” count=”4″ orientation=”horizontal”]

Scroll to Top