GDPR
Read on to learn about three typical pitfalls you should be aware of – and what you can do about them.
1. You send employment contracts and other personal documents via unencrypted e-mail
As a matter of fact, it is already illegal today to send sensitive personal data via unsecured digital systems and channels, including emails when they are not sent encrypted or protected in another way. Sensitive personal data, or non-sensitive personal data, protected by the GDPR regulations can for example be found in employment contracts, or health details and sick leave information.
With the introduction of the personal data regulations, the penalty framework has been significantly increased, and this can lead to large fines for your company.
What should you do?
Your company needs to ensure that it uses a secure system to send and receive these types of documents. You can use a tool that, for example, encrypts the content of emails, or you can send documents out via a secure platform such as e-Boks. Using e-Boks safeguards communication both to and from customers.
2. You send customer lists on various spreadsheets via unencrypted mail
As in the case with employees’ personal data, it’s also illegal to distribute customer lists with personal data via unsecured digital channels. However, if the customer list does not contain personal data, it will not be affected by GDPR.
What should you do?
In short, your company needs to ensure that it uses a secure system to send and receive these kinds of documents. You can use a system or a tool such as e-Boks, which encrypts the content of your communication.
3. You collect personal data about customers or users without their consent
Why is this illegal?
You may have had a system or website where customers have given feedback about your solution, and you have then kept this personal data. If this data is stored in a database and later used by the company for another purpose – such as the basis for developing a new product –you may have processed this data illegally without the necessary consent.
The individual user must give their clear consent for the company to collect and use their data. Any such consent must be explicit and not merely implied.
The individual has at any time the right to know what personal data the company has registered about them.
Registered individuals (data subjects) also have the right to ask to be deleted if they are no longer a customer of the company. In GDPR language, this is called the “right to be forgotten”.
It is up to your company to document that it has received consent for the data it registers and processes.
What should you do?
Your company needs to ensure that it has obtained consent to collect personal data from the user. When your company wants to collect personal data, you must inform the customer of the purpose for which the data will be used, who will process the personal data, and which kinds of personal data will be collected.
