The Personal Data Act and GDPR, how do we stand in Norway?

Companies and organizations face an ongoing challenge in navigating the privacy landscape. GDPR, which in 2018 became a pioneering data protection regulation, fundamentally changed the way personal data is handled across borders.

While the intention was to strengthen and harmonise data protection for individuals within the EU, its implementation has revealed multiple layers of complexity for businesses.

‍

GDPR Compliance Status

After 5 years, we see that the EU and its member states' supervisory authorities have moved from a supportive role to actively enforcing the rules.
Fines for non-compliance have reached the billion-dollar range, proving that the sanctions are not symbolic. Despite this, many businesses still struggle to meet all the requirements.

‍

“Up to 80 percent of the country's 175,000 small businesses are likely violating privacy policies every single day”‍

‍Says Tom Bülow-Kristiansen from Adminkit.

‍

“After analyzing the websites of over 500,000 Norwegian businesses, we found that more than HALF violate privacy rules by sharing data about their users with Google, Facebook and similar platforms without user consent.”

In late 2022, Cookie Guard performed an analysis of Norwegian websites and wrote a article about the result, focusing on cookies used for marketing purposes. Consent and processing of cookies is only an aspect of the Privacy Act.

‍

Typical Business Challenges

1. Lack of clarity: vagueness in legal language leads to uncertainty about what the obligations from privacy regulations actually entail.
2. Resource requirements: small and medium-sized enterprises (SMEs) often find it challenging to allocate sufficient resources to comply with the GDPR's requirements.
3. Data management and storage: keeping track of where and how data is stored and processed is a major challenge, especially for companies that did not previously have robust data processing routines.
4. Technological challenges: integrating systems and processes that enable data portability, the right to be forgotten, and consent processing requires technological solutions and expertise.

‍

Typical problems that need to be fixed

‍

Consent management‍

Companies need to improve their processes for collecting, managing and documenting consent. Many “Cookie Banner” solutions do not cover the requirements.

Without consent, personal data cannot be collected. In practice, this means that typical tools such as Google Analytics and Facebook Pixel cannot be loaded until consent is given.

The exception is system-necessary cookies, such as a cookies to manage consent.

The requirements, as explained by the Norwegian Data Protection Authority, are that valid consent must be the following:

• voluntary
• specific
• informed
• unequivocal
• given through an active action
• documentable
• possible to withdraw consent as easily as it was given

‍

Visibility of information and transparency

Before personal data can be processed, the company must define clear purposes for the collection or storage of the personal data. These must be concrete and real.

If the company collects personal data, this must be clearly communicated to individuals. This can be done in several ways, but the Norwegian Data Protection Agency recommends that a privacy statement be set up.

‍

Data mapping and classification‍

It is crucial to have a mapping of what data is collected, where it is stored, for how long it is stored. This needs to be presented in a visible way to individuals.

If the processing of data is carried out by a third party or subcontractor, the company must conclude a data processing agreement between the controller and the data processor.

The Norwegian Data Protection Authority has some simple examples of when a data processing agreement must be concluded:

Example 1
A business must enter into a data processing agreement if they use a marketing firm to send out marketing on their behalf.

Example 2
An enterprise must enter into a data processing agreement if it uses another company's cloud service to store customer data.

Read more about the Data Processing Agreement here

‍

Basis of treatment

There must be a basis for the processing of each individual personal data for each individual purpose. The company must have identified whether there is a basis for processing before collecting the data.

Companies are also obliged to inform about the basis on which their personal data is processed.

The Norwegian Data Protection Authority has an example:

Example
A member association processes both name, email address and postcode.
‍
- The purpose of names is to know who is a member of the association. The association cannot fulfil its membership agreement without knowing who its members are. The association comes to the conclusion that the basis of treatment is “necessary for agreement”.
‍
- The purpose of the email address is to send out marketing. The association has come to the conclusion that the basis of treatment is “consent”. It also means that the business must respect the individual's wishes if consent is withdrawn. The business cannot change the basis of processing if consent is withdrawn or consent was not validly obtained.

‍

The Way Forward

‍

In a larger perspective, GDPR has a noticeable global impact, inspiring similar legislation around the world.

Stricter requirements are imposed on international data transfers and thehandling of personal data. Therefore, companies must also be aware of international trends and legislation to ensure global compliance.

“The European Privacy Council has now decided that the Norwegian ban on behavioural marketing on Facebook and Instagram will be made permanent and extended to the entire EU/EEA.

Read more about the decision on the Norwegian Data Protection Authority's pages.

‍

Concluding

GDPR have set a new standard for privacy and data protection. After five years, there is still an important amount of work that remains for all businesses to be able to ensure full compliance.

While there are challenges, GDPR also offers opportunities for companies to improve their operations and build stronger relationships with customers based on trust and transparency.

By embracing GDPR's principles, businesses can not only avoid fines but also position themselves as leaders in ethics and privacy -- an increasingly valued trait among consumers.

‍

Attributions

Freepik

Freepik

Freepik

‍

‍