Personal data is an increasingly valuable – and increasingly risky – business asset. Keeping up-to-date with current rules can be challenging, and a data breach puts the company in a vulnerable position.
DLA Piper has experts in data protection and privacy around the globe, with a strong presence in Europe. We combine our global network with our deep understanding of the legal challenges our clients face. Our long-standing experience within the field of data protection and privacy gives our clients the optimal conditions for qualified, operational and meaningful advice. Therefore, our experts advise you, according to your needs, to put your business in a strong position and in compliance.
International experience with compliance
Our colleagues around the globe are involved in the local compliance cultures and maintains close contact with local legislators both in Asia, Europe and the U.S. They have played an important role in the development of rules of data protection and privacy in multiple countries. Our local data protection teams have worked together during the last years with great success to assist more than 100 multinational organisations in developing and implementing global compliance programmes to protect personal data and security, including carrying out risk assessments, developing global policies and implementing effective international data transfer strategies.
Our core areas of advice include:
- The GDPR
- Audit and data mapping
- Compliance programmes and policies
- Cybersecurity and the prevention of data loss and data breaches
- Online tracking and consumer protection
- Agreements on international data transfers
- Whistle-blower arrangements, employee monitoring and screening
Legal advice on the GDPR
The General Data Protection Regulation (GDPR) is the core of data protection and privacy. With DLA Piper as your legal adviser your company is in a strong position. We have in-depth knowledge of complicated legal area within data protection and privacy, and we have outstanding practical experience in translating the complex rules of the GDPR into practical manageable solutions for our customers.
Personal data is the core of GDPR. But what does the term ”personal data” actually cover? Generally, personal data is defined as any kind of information about an identified or identifiable person. Going into detail, several types of personal data have been defined:
Sensitive data, for example information about a person’s political opinion, religious belief, data concerning sex life or health.
General data, which covers all other types of information, such as name, e-mail, gender, age, etc.
Data concerning criminal convictions and offences, for example criminal records and video footage of a person committing a criminal act.
The list above is not exhaustive. In the GDPR you can read more about all types of personal data. Article 9 describes particularly sensitive data, whereas article 6 deals with the normal data.
In addition, Civil Registration Numbers is a special category of personal data regulated by Danish law.
How can we help you?
At DLA Piper, we have the knowledge and experience it takes to not only make your business comply with the GDPR, but also stands strong facing hackers without limiting day-to-day operations. Our data protection teams are experts in the field of data protection and security and they are used extensively both as advisers and teachers in the data protection rules. Areas we cover includes:
Compliance with and implementation of the GDPR: At DLA Piper we offer your organisation a thorough GDPR compliance check which includes both legal and technical insights. We uncover your company's data protection related risks by reviewing your existing IT organisation and structure. In addition, we advise on the implementation of the GDPR in practice, including within heavily regulated sectors such as the financial sector and life science.
Compliance audits: We conduct audits and reviews to prepare your organisation for a visit by the competent supervisory authorities. In this context, we furthermore seek to identify any further possible improvement of existing compliance programmes and advise on how to increase the efficiency of existing compliance programmes.
- Specific audits: We make an audit of a specific topic in order to identify any possible regulatory non-compliance in your organisation and determine the cause of such non-compliance. We advise on how similar instances of non-compliance may be avoided in your organisation, for example by recommendations and specific proposals for changes in your workflows.
New trends and technologies: New ways of using data appears regularly. We always follow the latest developments, and advise on new types of digitization and technology, including biometrics, automation, IoT, big data, blockchain, and artificial intelligence.
Data Protection Officer
We advise companies on the need for and implementation of a Data Protection Officer (DPO).
Full compliance with the data protection rules is challenging and many organizations make mistakes in attempts to comply with the rules of the data protection law.
Three common mistakes we see are:
Lack of documentation: According to the GDPR, an organization must be able to document that it complies with the data protection rules. This documentation may in some cases take the form of drafted documents, but this is not always enough. It is often necessary to document compliance the data protection rules in practice, for example by being able to demonstrate correct configuration of IT systems and updating employee knowledge.
Risk assessment: The GDPR is risk-based. This means that the greater the risk for the persons to whom personal data is being processed, the more priority should your organisation give to compliance with the GDPR.
- Overlooked processes: It is challenging to communicate data privacy rules in all parts of your organization, and often some processes in an organization is overlooked. However, this does not mean processes in the organization should not be prioritised, so that critical processes are given higher priority than less critical - but identified - processes.
Click here to see a list of specific examples of what we can assist your business with:
- Compliance programs
- Personal data in relation to
- research and life science
- credit information activities
- Advice regarding notice and inquiries from the Danish Data Protection Agency
- Agreements on personal data, including data processing agreements and agreements on joint data liability
- Training and education
- Applications and requests for approval to the Danish Data Protection Agency
- Policies for handling personal data about employees, e.g. in connection with resignations
- Whistleblower arrangement
- Advise regarding the use of cloud computing
- Transfer of personal data when outsourcing
- Advise on international data transfers
- Use of data processors
- Security requirements and handling of data breaches
- Drafting of privacy notices and guidelines
- Use of CCTV
- Processing of special categories of data
- HR and processing of employee data
It has become very important to meet the rules of the GDPR. This is particularly due to three reasons:
Reputation: Your organisation's reputation and the social opinion of the organization is crucial. This can, for example, affect your organization's ability to attract and retain customers, recruit the best employees, and enter into trustworthy relations with other parties. Failure to comply with the GDPR can be devastating to your company's reputation, especially in the case of a data breach. On the other hand, a high level of data security and compliance with the GDPR can positively affect society’s trust in the organization’s handling of personal data.
Significant fines: The GDPR contains significantly more severe penalties for organisations not complying with the rules. Before the GDPR entered into force, sanctions had been relatively insignificant, but companies are now face fines of up to 4% of the annual global turnover or EUR 20 million, depending on which of the two amounts is highest.
Loss of data: Compliance with the GDPR should be seen as a protection of data in general – and not only personal data. It is important to guard data against loss, as a data breach could compromise business secrets or other confidential information. Serious data loss can result in both sanctions and claims for damages.
The GDPR introduces a number of requirements for companies’ collection, storage and processing of personal data.
One example is the requirement of ‘accountability’, which means, that the data controller must take responsibility for the company’s processing of personal data. This requires control of data and requires that the company is able to document this control.
Here, the DPO enters the picture. A DPO must have expert knowledge of both data protection law and the practical implementation of the applicable rules in the company.
When to hire a Data Protection Officer?
The GDPR requires a DPO to be employed in a number of specific cases. But it is important to know that the requirements for data accountability apply to all companies, including companies that are not obliged to hire a DPO. Therefore, all companies must consider whether it is good idea to appoint a person who can assist with compliance with the GDPR like a DPO.
All public authorities, except the courts, must appoint a DPO. However, it is possible to appoint a common Data Protection Officer for several authorities.
Contact DLA Piper’s personal data team
If you have any questions on whether your company complies with the law, or if you want to know more about the data protection rules in Denmark and the EU, you are much welcome to contact our team of experts for a non-committal talk. We have provided advice and training on data protection for many years to both Danish and foreign companies within various industries.