The Danish Data Protection Agency has on 21 April 2020 published a decision regarding the use of risk assessments in connection with verifying data subjects when being contacted and making changes to the account of the data subject including disclosure of the personal data. The Danish Data Protection Agency also stresses that training of employees must be conducted regularly and not on an ad hoc basis.
The Danish Data Protection Agency has on 21 April 2020 published a decision regarding BroBizz A/S’ risk assessment and implemented organisational security measures not being in compliance with the GDPR when verifying data subjects upon being contacted and making changes to the account of the data subject including disclosure of the personal data. The Danish Data Protection Agency expressed severe critisim of the processing of personal data not being in compliance with article 32 (1) and (2) of the GDPR as BroBizz A/S had not implemented appropritate organisational security measures resulting in wrongful disclosures. The Danish Data Protection Agency further issued an order, requiring BroBizz within 4 weeks to make an assessment of the risks of the data subjects associated with the type of processing of personal data that the company undertakes in relation to ensuring the identity of the physical person, who has issued a request under article 15-21 of the GDPR.
The key items of the decision of the Danish Data Protection Agency are:
The Danish Data Protection Agency again stresses the requirement of documented risk assessments and that such risk assessments must not only focus on the risk of a data breach happening. The risk assessment must always include an assessment of the risk of the data subjects in the event of a personal data breach, such as the risk of loss of integrity and identity theft.
Further, when establishing mitigating measures to protect personal data against unauthorized use, it must be taken into consideration that the Danish Data Protection Agency does not find the instruction and process to be sufficient mitigating actions, but calls such very vague. We read the decision of the Danish Data Protection Agency to mean that instructions and processes cannot stand alone but must be supported by training, controls, verification and documentation.
To assist our clients in making the required risk assessment, we have developed a risk assessment tool, which enable all parts of the organization to assess the risks associated with various processing activities and ensure adequate documentation of the measures and controls established to manage the identified risks.