Client Alert | New ruling on risk assessment from the Danish Data Protection Agency

The Danish Data Protection Agency has on 21 April 2020 published a decision regarding the use of risk assessments in connection with verifying data subjects when being contacted and making changes to the account of the data subject including disclosure of the personal data. The Danish Data Protection Agency also stresses that training of employees must be conducted regularly and not on an ad hoc basis.

Speed read

The Danish Data Protection Agency has on 21 April 2020 published a decision regarding BroBizz A/S’ risk assessment and implemented organisational security measures not being in compliance with the GDPR when verifying data subjects upon being contacted and making changes to the account of the data subject including disclosure of the personal data. The Danish Data Protection Agency expressed severe critisim of the processing of personal data not being in compliance with article 32 (1) and (2) of the GDPR as BroBizz A/S had not implemented appropritate organisational security measures resulting in wrongful disclosures. The Danish Data Protection Agency further issued an order, requiring BroBizz within 4 weeks to make an assessment of the risks of the data subjects associated with the type of processing of personal data that the company undertakes in relation to ensuring the identity of the physical person, who has issued a request under article 15-21 of the GDPR.

Key items

The key items of the decision of the Danish Data Protection Agency are:

• Lack of organizational security measures. BroBizz A/S has in place a procedure and instruction on how employees in customer service must assess the identity of a person before making changes to the account of the data subject and disclosing personal data. Notwithstanding such procedure and instruction, BroBizz A/S reported three data breaches involving wrongful disclosure of one individual’s personal data to another individual. On this basis, the Danish Data Protection Agency concluded that the organizational measures implemented was not in compliance with article 32 of the GDPR either due to the instructions not being clear enough or because the employees are not to a sufficient extent aware of the instructions.
• Requirements to the risk assessment. The risk assessment provided by BroBizz A/S to the Danish Data Protection Agency assessed the risk of personal data being disclosed to a wrongful recipient as very limited. The risk assessment did not contain a sufficient assessment of the risk of the data subject when disclosing personal data to an unauthorized third party, where risks such as phishing and stalking was mentioned. In its decision the Danish Data Protection Agency makes it clear that the risk assessment should have contained an assessment of the risks associated with the disclosure of data to an unauthorized third party when not having verified the data subject sufficiently and thus the Danish Data Protection Agency has issued an order requiring BroBizz A/S to provide a new risk assessment to the Danish Data Protection Agency within 4 weeks.
• Ad hoc training is not sufficient. BroBizz A/S has informed the Danish Data Protection Agency that the employees has received one course since 25 May 2018, that new employees receive training and that training is otherwise conducted on an ad hoc basis. The Danish Data Protection Agency finds that such training is not sufficient.
• Instruction and process as mitigating actions. BroBizz A/S has stated that to mitigate the risk of unauthorized disclosure, BroBizz A/S has instructed its employees to follow instructions and a process. The Danish Data Protection Agency states in its decision that it finds that the specific mitigating actions, namely instructions and processes, are very vague.

Next steps

The Danish Data Protection Agency again stresses the requirement of documented risk assessments and that such risk assessments must not only focus on the risk of a data breach happening. The risk assessment must always include an assessment of the risk of the data subjects in the event of a personal data breach, such as the risk of loss of integrity and identity theft.

Further, when establishing mitigating measures to protect personal data against unauthorized use, it must be taken into consideration that the Danish Data Protection Agency does not find the instruction and process to be sufficient mitigating actions, but calls such very vague. We read the decision of the Danish Data Protection Agency to mean that instructions and processes cannot stand alone but must be supported by training, controls, verification and documentation.

To assist our clients in making the required risk assessment, we have developed a risk assessment tool, which enable all parts of the organization to assess the risks associated with various processing activities and ensure adequate documentation of the measures and controls established to manage the identified risks.