Enforcing the GDPR in a trust-based culture like Denmark

Stine Mangor Tornmark
Written by
Stine Mangor Tornmark
on
May 19, 2020

Henrik Rubæk Jørgensen has worked professionally with data protection for 11 years, and way before data protection got any mainstream hype. With an impressive CV that includes Plesner Law Firm, the Danish Data Protection Authority, The Lego Group, and Leo Pharma, he has recently started as a partner in White Label Consultancy.

We spoke to him to hear his perspective on the GDPR's impact on Danish companies, it's enforcement by the Danish Data Protection Agency, and what companies can do to tackle some of the challenges that GDPR brings.

Question: You have just taken on the role of partner at White Label consultancy. What made you decide to take on this exciting role?

I had been speaking with the managing director at White Label about the opportunity for some time, and it felt like the right time to jump in, it was too good an opportunity not to. All the partners and consultants working at White Label have a minimum of 5 years of experience working with data protection and cybersecurity, from big and well-known companies. Working with people who have this similar and unique work experience appealed to the specialist in me. So it made sense for me to join the company.

Question: Having worked at the Danish Data Protection Agency, as an attorney in one of Denmark's biggest law firms and as DPO at two of Denmark's biggest corporations, how have you experienced that the GDPR has impacted Danish companies?

To some extent, I think that the GDPR works against something that is deeply ingrained in Danish culture. We are as a people and in business very much trust-based. I am not saying that the GDPR is against trust, but it puts a lot of emphasis on things like accountability and being able to prove that you've done what you're supposed to do. That puts extra pressure on Danish companies because it's not just about setting up some new rules, but is also a change in how we think about work, and our work processes.

Most Danish companies started working with GDPR in 2017 and got busy with implementation a few months before the deadline. A lot of companies have succeeded in implementing GDPR in time, and it is good work, but I think the approach for many has been a bit rushed. This has, I think, affected how GDPR is generally perceived by businesses.

When you set up new processes, people need time to work with it. And I don't think people had enough time to implement the GDPR. I also think that companies need to focus more on the strategic aspect of the GDPR, and approach it more holistically. When you look into internal controls, controls of vendors, etc., you can easily create a lot of work for yourself. There needs to be a more decided approach to managing the GDPR by looking at it as a set of different risks. Certain areas in companies' GDPR responses might now need to be revisited, e.g., which vendors to do checks on, what questions to ask them, and the governance framework.

"To some extent, I think that the GDPR works against something that is deeply ingrained in Danish culture. We are as a people and in business very much trust-based. I am not saying that GDPR is against trust, but it puts a lot of emphasis on such things as accountability, and being able to prove that you've done what you're supposed to do."

Question: What do you think are the biggest struggles companies currently face when implementing and working with the GDPR?

I think one of the biggest struggles for companies right now is knowing when their data privacy response is enough, and where the emphasis should be. In big multinational companies, you may have thousands of vendors, and you are expected to check each vendor every one-two years. That is a big task. So it's about finding the right balance in terms of how many resources are allocated to data protection.

"I think one of the biggest struggles for companies right now is knowing when their data privacy response is enough, and where the emphasis should be."

A big risk for many companies is knowing where the data is. And the same goes for data retention; companies need to create a data retention policy and make sure they follow it. This is something the authorities can easily inspect. It is a bit funny that data deletion was one of the biggest things in the GDPR, but actually, it has been part of Danish law since the 70's. It can be difficult to manage though as companies these days use a lot of systems, and you need to have a good structure and overview of your systems. This is especially true for companies working with consumers or companies in the healthcare sector, processing children's data, or in the financial sector.

"A big risk for many companies is knowing where the data is - a lot of companies still need to get on top of this. And the same goes for data retention, companies need to create a data retention policy, and make sure they follow it. This is something the authorities can easily inspect."

Question: We haven't seen a lot of fines being issued by the data authorities in Denmark. Why do you think that is?

There used to be an understanding in the Danish Data Protection Agency, that the rules were complex and difficult to understand, and at that time they wanted to be more of a guiding authority than a sanctioning one. But, the approach has now started to change, and they are now reporting companies and municipalities to the police. We are starting to see fines, audits of companies, and sanctions.

The Agency is generally very proactive, creating guidance papers and providing information about the rules, and I hope they will continue to focus on guidance. But it would also make sense for them to publish decisions about sanctions, and to make themselves more visible. Data protection authorities in other countries have been quite strong and opinionated in their communication. The Danish Data Protection Agency could have been stronger in its discourse, but they preferred not to make too much noise. It didn't seem to be a big priority to be a part of the public debate or voice opinions. It is a shame because it is part of the Ministry of Justice, and it is also its own organisation and has a lot of insights around this topic.

"There used to be an understanding of the Danish Data Protection Agency, that the rules were complex and difficult to understand, and at that time they wanted to be more of a guiding authority than a sanctioning one. But, the approach has now started to change, and they are now reporting companies and municipalities to the police."

Question: Given your experience working with privacy compliance for the authorities and in-house, what do you think companies can do themselves to become more compliant?

I always recommend that companies spend a bit of time getting an overview of the data that they have. They need to know where they keep their data, what the flows are, make sure they know what the risks are, what is the sensitivity of the data that they have, and what could go wrong. This isn't only in relation to GDPR or data protection, but more generally, what could go wrong in terms of the data that they have. Something that I often work with, which can be done quite simply, is to ask stakeholders to do a test to check whether it actually works in practice, and to see if everyone in the company does it the same way.

Another tip is that GDPR is often outside of the scope of what people want to spend time on, so training people to work with it should be limited to what they need to know, and what they work with.

Try our Cookie consent solution for free

Keep track of your cookie consents and documentation easily, with a cookie consent system. Also known as a consent management platform or consent management solution.

With Openli you can collect and document consent for the cookies you use on your site. We use geotargeting to ensure that you collect the right consent in specific markets depending on the jurisdiction of the user or customer. Our solution scans your website and detects which cookies you use. With Openli you get a full audit trail, so you can prove consents to a data authority if you need to.