General Data Protection Regulation – a new regulation you must comply with
Look at the positive things about the regulation – you will get a chance to clear up the piles of documents - on both your pc and your desk.
The data regulation aka the Personal Data Regulation (GDPR – General Data Protection Regulation) is an EU regulation intending to strengthen and harmonise the protection of personal information within the EU. The Personal Data Regulation became effective on 25 May 2018.
Handling of HR data
If you send an email that contains sensitive personal data, you must insert the signature with this text:
”Please note that this email contains personal data. You must ensure that this data cannot be accessed by anyone else without good reason, and that it is deleted immediately when it is no longer required in relation to the purpose for which it was sent”.
However, if the email is important, you must file it and then delete it.
What is personal data?
Documents containing general data can be stored in email or Office programs during case administration. Emails containing special or sensitive data can be kept for a maximum of 30 days.
The figure (i Danish) shows what personal data are:
Data must be kept under lock and key
When you log on your PC, you get access to some resources on the basis of who you are. If you leave your PC while you are logged on, others can use it in your name. This may have the result that information that only you should be able to see and change can be seen and edited by others – in your name!
It is you, who will be left with the problem if an unpleasant email is sent from your email address, or if the confidential information that only you have access to ends up being made public.
Therefore: Lock your PC when you leave it. If you have documents containing sensitive personal data lying in your office, you must also lock your door.
As long as you work with personal data we recommend that you store the case on AU’s network drives, including the personal or common drives (O & U). This will ensure a secure storage and backup in case of mishaps. When the administration of the case is finished, the case must be deleted or parked in secure systems such as People Exces, WorkZone or AUHRA.
Your behaviour on email and in the Office program package will not be logged so that it complies with requirements. They are therefore just temporary depositories for personal data.
Research data
Data must be stored in a secure way, and only absolutely necessary data may be stored. To a certain extent, a distinction will be made whether you use data actively or whether you mainly store data for later use. Data that can be associated with a person or that is sensitive personal data must be stored in such a way that no unauthorised person can get access to it.
Research data must be stored on the secure departmental drives (O & U) and in the databases that are made available when you work with solutions used by data groups in the departments. Via the IT Unit an area can be set up that is available to a limited group of employees only (also across departments).
As a starting point, sensitive personal data must not be stored on USB memory sticks, external hard disks or any form of cloud services. There may be exceptions, but then it is a requirement that the data is encrypted.
Many things are still unclear concerning the Personal Data Regulation. The process is ongoing, and there will continue to be adjustments. Therefore, keep updated on the AU website. The first draft for procedures concerning HR data in relation to the Personal Data Regulation in AGRO is being prepared.
In order to ensure that all members of staff are updated on the Personal Data Regulation, we refer you to the article: We’ll have to change our routines.
We must change our behaviour with stress on the word must. If we don’t, it may mean a fine of up to DKK16 million. Therefore my recommendation to you is: Delete everything containing sensitive personal dat