All organisations process personal data such as data on employees, clients, potential clients, suppliers etc. Some organisations carry out limited processing of personal data. Other companies collect, store and use personal data and related data as a central part of their business model, either because such data is a part of their products/services and/or the data gives important input to the development of their own products and services. This information might also be relevant for others, a factor which has led to personal data and services derived therefrom increasingly being seen as a tradable good. One of the characteristics of this development is that companies handling large amounts of data utilise external suppliers offering a large and effective storage capacity.
The laws regarding processing of personal data are moving towards the use of stricter regulation, including harsher documentation requirements, in addition to stricter sanctions for breach of the regulations. This leads to increased requirements on companies. Although the challenges may vary depending on the scope of a company's processing of personal data, no company is unaffected.
Based on our experience, the areas where assistance is most often needed are:
- Strategy analysis and leeway
- Establishment and documentation of systems for internal control
- Drafting and adapting agreements, including data processor agreements
- Transfer of personal data outside the EU/EEA
- Notification duties and obligation to apply for a licence
- Control measures in the work space, including accessing employee e-mails
- Collection, storage and use of huge amounts of data (including so called "big data")
- The use of cloud services
- The handling of security breaches
Wikborg Rein has written the Norwegian chapter of ICLG's 2017 edition regarding data protection, available at https://iclg.com/practice-areas/data-protection/data-protection-2017/norway