The EU's regulation for data protection, GDPR (General Data Protection Regulation), will result in Norway implementing new data protection rules that come into force in 2018. The rules will apply to all undertakings that collect or use personal data concerning EU/EEA citizens. As undertakings we will have new duties, and all EU/EEA citizens whose personal data is registered will have new rights.
The Data Inspectorate has summarized the new rule changes in the following 10 points.
- GDPR will apply to all Norwegian undertakings.
All undertakings are obliged to familiarize themselves with the new legislation and determine which new requirements that apply to them. The undertaking must put into place procedures to comply with the new requirements, and ensure that all employees follow the new procedures when the act comes into force.
- All undertakings must have a comprehensible privacy statement.
Information on how the undertaking processes personal data must be easily accessible and written in a comprehensible way. The new legislation imposes more stringent requirements on the form and content of information than current legislation. All information that is provided to children must be adapted to the children's comprehension level.
- The undertaking must consider risk and data protection consequences.
If an action poses a major risk to data protection, the undertaking must also investigate which data protection consequences it may have. If the investigation shows that the risk is significant and the undertaking is unable to mitigate it, the Data Inspectorate must be involved in preliminary discussions.
- The undertaking must integrate data protection in new solutions. The new rules demand that new measures and systems must be designed in a manner that is as beneficial as possible for data protection. This is called integrated data protection. The most data protection-friendly setting must be the default in all systems.
- Many undertakings must establish a data protection ombud.
All public and many private undertakings must establish a data protection ombud. A data protection ombud is the undertaking's data protection expert, and a link between the management, the data subjects and the Data Inspectorate. The ombud can be an employee or a professional third party.
- The regulations also apply to undertakings outside of Europe.
Undertakings located outside of Europe must also comply with the GDPR rules if they offer goods or services to citizens in a EU or EEA country. This also applies if they do not provide services directly, but monitor the online behaviour of European citizens. Those who are established in several countries in Europe should only have to relate to the data protection authorities in the country in which they have their European headquarters.
- All data controllers will have new duties.
Data controllers are undertakings that process personal data on behalf of the responsible undertaking. These are often providers of IT services. The new rules order the data controllers to have procedures for the collection and use of personal data. Data controllers must also inform their clients if they receive instructions that contradict the law. The client must also approve the data controller's subcontractors. Data controllers may also be subject to financial liability along with the client.
- Undertakings should collaborate in own networks and follow industry standards.
The new rules encourage industry-specific design of guidelines and industry standards. If one chooses to follow industry standards, the most important procedures will be in place. The Data Inspectorate must approve the industry standards.
- All undertakings will be subject to new requirements toward handling breaches.
The rules for handling security breaches will become more stringent. GDPR imposes requirements on when notifications must be provided, what notifications must include, and who that is to be notified.
- All undertakings must be capable of complying with the citizens' new rights.
The right of the individual to demand that personal data is deleted, is strengthened. This is called “the right to be forgotten.” Among other things, Norwegian and European citizens may demand to transfer their personal data from one provider to another using a commonly used file format. This is called “data portability.” They may also opt out of profiling. All enquiries from citizens must be answered within one month.
Detailed information on the new data protection rules is available on the Norwegian Data Inspectorate's website: www.datatilsynet.no