Many completely normal working procedures found in most organisations can now result in fines. This is the consequence of a new, strict penalty framework to be introduced when the new personal data regulations come into force in 2018. Read on to learn about three typical pitfalls you should be aware of – and what you can do about them.

1. You send employment contracts and other personal documents via unencrypted e-mail

Why is this illegal?

As a matter of fact, it is already illegal today to send sensitive personal data via unsecured digital systems and channels, including emails when they are not sent encrypted or protected in another way. Sensitive personal data, or non-sensitive personal data, protected by the new regulations can for example be found in employment contracts, or health details and sick leave information.

With the introduction of the new personal data regulations, the penalty framework has been significantly increased, and this can lead to large fines for your company.

What should you do?

Your company needs to ensure that it uses a secure system to send and receive these types of documents. You can use a tool that, for example, encrypts the content of emails, or you can send documents out via a secure platform such as e-Boks. Using e-Boks safeguards communication both to and from customers.


2. You send customer lists on various spreadsheets via unencrypted mail

Why is this illegal?

As in the case with employees’ personal data, it will also be illegal to distribute customer lists with personal data via unsecured digital channels. However, if the customer list does not contain personal data, it will not be affected by GDPR.

What should you do?

In short, your company needs to ensure that it uses a secure system to send and receive these kinds of documents. You can use a system or a tool such as e-Boks, which encrypts the content of your communication.


3. You collect personal data about customers or users without their consent

Why is this illegal?

You may have had a system or website where customers have given feedback about your solution, and you have then kept this personal data. If this data is stored in a database and later used by the company for another purpose – such as the basis for developing of a new product –you may have processed this data illegally without the necessary consent.

The individual user must give their clear consent for the company to collect and use their data. Any such consent must be explicit and not merely implied.

The individual has at any time the right to know what personal data the company has registered about them.

Registered individuals (data subjects) also have the right to ask to be deleted if they are no longer a customer of the company. In GDPR (General Data Protection Regulation) language, this is called the “right to be forgotten”.

It is up to your company to document that it has received consent for the data it registers and processes.

What should you do?

Your company needs to ensure that it has obtained consent to collect personal data from the user. When your company wants to collect personal data, you must inform the customer of the purpose for which the data will be used, who will process the personal data, and which kinds of personal data will be collected.