Portrait of SANDS Partner Katrine Malmer-Hovik photo

The story of a reported panic

No legal field is as much in demand as privacy protection. A new, stringent regulatory structure is being rolled out across Europe, and for the time being many Norwegian enterprises are quite unprepared.

“All enterprises that process personal data, even if it only involves their own employees, are covered by this regulatory structure. Don’t wait until information entitled to protection ends up in the wrong hands, or the Norwegian Data Protection Authority turns its attention to you, before you deal with this. A proactive approach to this topic is the key to survival. A lawyer or consultant can only help you so much, and privacy protection must actually be made an integrated part of the daily routine in your enterprise if you are going to manage this,” says lawyer Katrine Malmer-Høvik at SANDS.

The EU is currently introducing the new General Data Protection Regulation (GDPR). It strengthens citizens’ power over their own personal information and is accompanied by strong possible sanctions against any enterprise that does not obtain, store or use personal data without sufficient consent or documentation.

“The combination of technological development with potentially major privacy protection risks and a new legal framework that has received abnormally high attention has meant that the interest and focus on privacy protection is extremely high. This does not apply only to ongoing, more fundamental discussions such as a digital border defence for Norway. It also applies to Norwegian enterprises that process personal data in a way not influenced much by fundamental political standpoints,” says Malmer-Høvik at SANDS.

Privacy protection is a focus area at SANDS, in which Malmer-Høvik is part of a team which currently numbers six privacy protection experts, several with long experience from the inside in data-sensitive industries such as insurance and debt collection. From SANDS’ head office in Vika, Malmer-Høvik explains the new challenges that Norwegian and European enterprises must now demonstrate that they take seriously:

“Rapid technological development means that more and more personal information is being collected and analysed. We consumers are happy to leave behind our information to get access to attractive services. Automation, digitalisation, artificial intelligence and all the other buzzwords circulating these days – personal information and privacy protection are at the core of this development,” says Malmer-Høvik.

No free rein for personal data. It can be difficult even for those who employ profiling tools or tools for automated decision-making to explain how the tools work, and the complexity will hardly diminish. If you have problems explaining to a customer what is being done with the data or how a conclusion or result has been arrived at, you also have a legal problem. For example, the General Data Protection Regulation imposes to a degree even greater than the current regulatory structure a requirement to be able to explain how an algorithm functions.

“There are enormous opportunities in commercial utilisation of personal information. At the same time, we in Europe have a tradition of personal information belonging to the individual citizen, and citizens are to have control over their information. This means that there is no free rein to use the data, even if the commercial upside might be entirely obvious,” says Malmer-Høvik.

The General Data Protection Regulation makes it important for firms and organisations to demonstrate that they are responding to and complying with the legislation in this area.

 The interest in privacy protection is great, but the lawyers at SANDS are betting that the interest will reach a peak when the first fine is issued here in Norway. Nevertheless, SANDS emphasises that compliance with the privacy protection regulatory structure is not a one-time task or a project that can or should be outsourced. In SANDS’ opinion, compliance requires internal resources to succeed, and nothing less than good follow-up on a daily basis is required. Those who believe privacy protection can be solved with yet another binder that gathers dust will be disappointed.

The incomparable value of a good reputation. SANDS is one of Norway’s largest law firms. To name just one area, it is a leader in technology and innovation, where many of the most interesting issues of the day concerning privacy protection arise.

Rules for processing personal data are no innovation, and in SANDS’ opinion it is wrong to call the General Data Protection Regulation a revolution. It is not the case that processing personal data has previously been entirely unregulated – quite the opposite: Norway currently has a regulatory structure that is based to a large degree on the same fundamental principles as the new regulatory structure. It is the increased threat of prosecution which the General Data Protection Regulation introduces that means privacy protection has finally become a hot topic for conversation in Norwegian conference rooms. At the same time, increased geographic scope can be identified as another factor of interest for enterprises that are not established in the EU. There is no hiding the fact that fear of financial sanctions from the Norwegian Data Protection Authority is a motivation for many enterprises. However, potential reputational loss should be just as large a motivating factor, Malmer-Høvik points out.

“Articles about how you don’t have control of the data could cause greater harm to your reputation than a fine from the Norwegian Data Protection Authority,” says Malmer-Høvik.

She believes this is related to the fact that most people have finally become more aware of how personal data about them are used.

“Suddenly people are demanding that their personal data be taken care of properly. They see that adverts follow them round on the Internet and that one form or another of analysis of the data and their preferences is being carried out,” she comments.

In the Trump era, revelations about targeted political messages in social media have also created awareness that it is not only commercial interests who tailor personal messages.

“It has dawned on most people that the electronic tracks do not go away on their own.”

The story of a reported panic. Despite the fact that the regulations are coming at full speed, Norwegian enterprises are quite unprepared.

“For many people, the regulatory structure has been ignored for the most part, and there are certainly several reasons for this. A lack of knowledge is presumably the main reason in many cases. Low risk of discovery and relatively small financial consequences are certainly also a factor in some situations,” says Malmer-Høvik.

She thinks a surprising number of enterprises are not in control.

“Privacy protection is a comprehensive job that should begin now with a recognition in the boardrooms that following the regulations will require internal resources. And whether it is HR, Finance or IT, there are many in the enterprise who have to sit round the conference table and assist in ensuring that the requirements are responded to.

Then starts the identification of what has to be done, but perhaps first of all: What do we have? What kinds of data are we sitting on? Where are the data? Where do they come from? Who do we give them to? And perhaps the most interesting question: Why do we have these data? Procedures must be created and maintained. SANDS’ privacy protection group assists as a legal guide in an identification situation and offers work documents that can be used.

The lawyers at SANDS do not disguise the fact that compliance in enterprises that have not previously focused on privacy protection is a potentially far greater task than for those who are already well-organised.

“Many people need help to ask the right questions early so they can work in a businesslike manner in the future. For example, regarding the deletion of personal data: if you don’t know what kind of personal data you have and barely know where they are, it is difficult to create a good deletion procedure,” says Malmer-Høvik.

After the basis for processing data is in place, SANDS provides tailor-made recommendations regarding where consent or data processing agreements are required, for example, and assists in identifying which requirements apply to the enterprise and how the requirements can be fulfilled. They draft consent texts and agreement texts, assist in negotiations with suppliers and assist when the enterprise establishes procedures for deletion or a cookie policy, for example.