GDPR PERSONDATAFORORDNINGEN I PRAKSIS John Arthur Berg Data Protection Officer

Data Protection Officer Mandatory for: Public authorities or bodies Processing requiring regular and systematic monitoring of data subjects on a large scale. Large scale processing of special categories of data In-house or outsourced Independent position, not responsible but an “ombudsman”. Tasks: To inform, advice and educate the organization on how to best ensure compliance. To monitor compliance To provide advice and answer questions from our own organization and customers. To cooperate with data protection agencies. To give input when requested with regards to data protection impact assessments. Databeskyttelsesrådgiver

Controller vs. Processor Organization(s) that determines the purpose and means of processing the data. Processor Organization that processes personal data on behalf of the controller. Dataansvarlig Databehandler

1. Get an overview What is the status for compliance under current regulations? Do we have established processes and documentation for data privacy? Document and assess all current processing of personal data What systems are involved in processing data, and how does data flow between the different systems? Do we have a Data Protection Officer? Do we need a Data Protection Officer?

2. Define purpose and lawfulness for processing, and assess types of data processed There might be several purposes involved in processing data. Look at them as different silos. Lawfulness – there are 6 lawful reasons for processing data. Document types of data being processed Ensure that this information is easy to access for all users, transparency is the key. (If types of data does not map with the purpose, either your purpose is wrong – or you are illegally processing too much data)

3. Ensure appropriate technical and organizational security implementation of appropriate data protection policies Should be able to demonstrate that processing is performed in accordance with GDPR. Responsibility passes on to processors

4. Establish Data Processing Agreements Only use processors that implements technical and organizational measures in a way that meets the regulation and ensures protection of data subject. Processing must be governed by law or by a legally binding contract containing nature and purpose of processing, types of personal data and categories of data subjects and the rights and obligations of the controller.

5. Inform data subjects about their rights Data subjects has a right to transparency. A range of information should be available to the data subjects Data subjects must be informed about their rights

6. Put in place some procedures Procedures related to organizational and technical security Performing DPIA – Risk assessments when acquiring new technologies. Data subjects exercising their rights

What to expect from itslearning As a processor (offering itslearning to customers) Ensure and be able to demonstrate appropriate organizational and technical security. Helping customers with documentation needed to demonstrate compliance. Revise our Data Processing Agreements and all DPAs we have with 3rd parties. Revise any privacy policies related to our product policies, or any information to end users on their rights. Document and enforce processes for: Ensuring organizational and technical security Ensuring we only process data based on controllers request Revise our product development processes to include security by default and by design Notes for breach of personal data. Deleting user data or customer data upon customer request/end of contract