Kristin Mossing Berntsen, Chief Information Officer at MHWirth (left) and Bjørg Hansen, Vice Predident HR, IT, and Communication at MHWirth.

The possibility of a EUR 20 million fine has drawn heavy attention to the EU General Data Protection Regulation (GDPR), which will enter in force May 2018.

“We are taking this very seriously. Personal data is a serious topic, and the fines for non-compliance are severe,” says Bjørg Hansen, Vice Predident HR, IT, and Communication at MHWirth.

She was among some 20 people attending a GDPR workshop at GCE NODE in Kristiansand Wednesday. MHWirth has established a project to make sure the company is compliant with the new directive.

“New agreements, new contracts, new procedures, new internal processes. These are some of the practical consequences of the new directive. The effect is a higher awareness of what kind of data we store and how we store it – which is positive,” says Hansen.

The GDPR workshop was not her first seminar or workshop on the topic.

“I appreciate this initiative from GCE NODE and partners to bring attention to GDPR. It is important for all businesses to learn more about this,” says Hansen.

GDPR is referred to as ‘the most important change in data privacy regulation in 20 years’. ​The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the former directive was established (1995).

(Story continues below image)

“The price of data storage is decreasing, but risks, demands and fines for non-compliance are increasing rapidly,” says Nina Mathiesen, Entreprise Content Manager at Evry.

These are some of the most important things you need to know about GDPR:

EXTENDED JURISDICTION: Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.

HUGE FINES: Organizations in breach of GDPR can be fined up to 4 per cent of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts.

CONSENT: The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.​

BREACH NOTIFICATION: Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.

RIGHT TO ACCESS: Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

RIGHT TO BE FORGOTTEN: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

DATA PORTABILITY: GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Morten Kjær Enger, Attorney at Advokatfirmaet Kjær (law firm), presented the legal issues related to GDPR.