Here is a list of some of the things you need to do before you start processing personal data.
1. Familiarise yourself with the principles of privacy.
This policy is legally binding, so you always need to keep it in the back of your mind.
2. What personal data will you be processing?
Identify the various categories of data that are processed by the company. For example, this could include contact information for employees, contact information for customers, information about employees’ banking details and tax deductions, the purchasing history of customers, IP addresses collected via the company’s website and customer segments, etc. Please be thorough so that you do not miss anything.
3. Define a clear purpose for the personal data categories.
One category may sometimes have several purposes, but you cannot change the purpose much once processing has started. The purpose must not be too broad or woolly – you should always be specific.
4. Identify which grounds for processing are most suitable for the various types of processing involved.
Each incidence of processing may only have one reason for processing, and you cannot normally change the grounds for processing as you go along. If none of the grounds for processing can be used, then the processing concerned is illegal.
5. If you process special categories of personal data (sensitive personal data and biometry), then such processing must also have grounds for processing as specified in Article 9 of the General Data Protection Regulation.
6. Personal data shall not be stored for any longer than is necessary for completing the purpose of any processing.
This applies unless otherwise stated in law (the Norwegian Public Archives Act or the Norwegian Accounting Act) or, for example, in connection with funding research. This complies with the policy on limiting storage and data minimisation. Line managers are responsible for drawing up deletion procedures designed to minimise the security risks at their units. Systems owners have the same responsibilities for those systems for which they act as system owners. Each individual employee is responsible for deleting personal data which has been stored on their personal user sites. Find out how you can comply with this information obligation to the best of your abilities.
7. Familiarise yourself with any other rights which apply to individuals.
The company has a duty to provide systems which ensure that individuals actually obtain their rights within the deadlines which apply. This means, for example, that you need to have good procedures, systems and expertise in order to assess individual requirements.
8. It is important to think about privacy right from the start.
This makes it much easier and cheaper to create procedures, systems and an organisation which safeguards privacy in a satisfactory manner. Inbuilt privacy is now compulsory. When creating procedures and systems, you should therefore look at our guidelines on inbuilt privacy
9. Is a data processor going to process personal data on your behalf? Please remember to have a data processing agreement!
10. Will the personal data concerned leave the EEA?
Read the rules which apply to overseas transfers in Chapter V of the General Data Protection Regulation.
Our guidelines on transferring personal data to third countries in accordance with the old Norwegian Personal Data Act could provide you with a great point of departure since both sets of rules are based on the same principles, but you should be aware that there are differences.
11. Consider whether or not you have a duty to conduct an assessment of the privacy implications.
12. You must have procedures which will enable you to comply with all the statutory obligations.
Consequently you must have internal controls. You also have a duty to protect personal data, i.e. have information security. Please see our guidelines on internal control and information security when you plan the security measures that your company needs to have.
13. You must also draw up plans on how you will comply with the obligations which relate to handling discrepancies when something goes wrong.
Please see the requirements relating to processing discrepancies in Articles 33 and 34 of the GDPR.
14. Please also remember that most companies are obliged to keep records of their processing activities.
15. On this page you will also find a list of all the obligations that your company has when you are going to process personal data.