GDPR – hva betyr det for deg? - Ansatt

What does data protection (GDPR) mean to you?

What does data protection (GDPR) mean to you?

Are you wondering how the new data protection rules (GDPR – General Data Protection Regulation) affect your everyday work? Below you will find links to useful information and courses, in addition to some points to think about when processing personal information.

What you need to think about in connection with GDPR

If you process personal data and have not thought about this before, consider the following now:

  • The registered (employees, students, research participants, etc.) have been given increased rights, so you must have more control over which personal data is processed and how. You must make sure you have an overview of the processing, and all assessments must be documented. You must therefore report all new processing within administration and lectures to the privacy contact at your unit. Read more about the overview of the processing of personal data here.
  • The processing must have a purpose (a good reason) and you must have the right (permission) to process the information for this purpose, e.g., via consent, legal authority or agreement. With stricter requirements for consent, you can e.g. no longer send information to people to whom you have the e-mail address without a consent or another basis for processing before sending it. See also the Norwegian Data Protection Authority’s website on the basis for processing (datatilsynet.no).
  • You must inform the registered person(s) who is processing the personal data, for what purpose, how, where and for how long the data is to be processed, the registered persons’s rights to access, correction, deletion, complaint, etc., as well as contact person and contact information to the data protection officer (nor. personvernombud). If your processing is covered by OsloMet’s privacy statement or the information is easily available on OsloMet’s website (may apply to cases with very many registered persons), it is not necessary to send individual information to all the registered persons. Consent as a basis for processing always requires individual information.
  • You shall not process more personal information than is necessary to achieve the purpose of the processing.
  • Data must always be correct and updated.
  • Data must be stored in such a way that the registered person cannot be identified longer than necessary. Data you no longer need, must be deleted.
  • Data must be processed in such a way that it is not exposed to unauthorised access / processing or accidentally going astray or being damaged.
  • A risk assessment must be made for all processing of personal data. Read more about risk assessment here.
  • Recent additions to the privacy legislation state  you must always consider whether a data protection impact assessment (DPIA) should be carried out in all processing of personal data. Read more about DPIA here.
  • The data processor agreement must be signed in instances when external parties (data processor) carries out all or part of the processing on behalf of OsloMet (data controller). Read more about data processor agreements here.

​​​​​​​​​​​​​

Positive consequences

With raised awareness, overviews of personal information and documentation of assessments and routines, you will have better control over your work with privacy and can be confident that the processing is in accordance with the GDPR. Your and others’ personal information will then be taken care of in a good way and OsloMet avoids being fined and getting a bad reputation.

Personvernspillet

Personvernspillet