GDPR for control systems
General Data Protection Regulation (GDPR)
The EU General Data Protection Regulation was incorporated in Norwegian law in May 2018.
This replaced the previous regulatory framework and involved new obligations for businesses and new rights for people whose information you process.
All companies, therefore, have to study the new legislation and find out what obligations apply to them. The management has to make sure that procedures are put in place in order to meet these obligations, and notify employees of changes.
Maintaining an overview of the personal data being processed is one requirement. You have to describe where personal data has come from, who it applies to, where it is stored and the legal basis for its processing.
All data processors have obligations that require the company to have procedures for the collection and use of personal data and oblige them to notify the client if they receive instructions that are in contravention of the law.
The 2018 directive requires all public bodies and authorities to appoint a data protection officer. Among private organizations, this is a requirement if the main business on a large scale includes:
- Systematic monitoring of personal data
- Processing of sensitive data
This officer is required to be included in all issues relating to the protection of personal data, but the data processor or data controller is nevertheless responsible for ensuring compliance with the legislation. The Norwegian Data Protection Authority urges all companies that process personal data to any great degree to appoint a data protection officer, even if they are not obliged to do so by law.
Focus on privacy
The regulation requires all measures and systems to be formulated with an emphasis on privacy and to select the most privacy-friendly solution as standard.
If personal data processing is planned that could constitute a risk to an individual’s right, there is an obligation to investigate the impact on privacy. The Norwegian Data Protection Authority must be involved in prior discussions if it is shown that processing such data would result in high risk. The Norwegian Data Protection Authority then undertakes to provide written guidance.
All non-conformities due to data security breaches must be documented, and the action taken must be described. If the non-conformity involves a risk to the rights or privacy of individuals, the matter must be reported to the Norwegian Data Protection Authority within 72 hours.
Individuals have the right to demand that their own personal data is deleted. Responses to all inquiries from registered parties must be submitted within one month. Transfer of information from one supplier to another can also be demanded.
We recommend that all companies should review their data security procedures and ensure that they are compliant with the points described above.
Try LANDAX for free
Take your company’s quality management to a new level.
You can try out the relevant modules and other Landax features for free in our user-friendly demo.