The fight ended draw: Understandable frustrations were met by good answers.
In addition to not having students cut out of pictures when they change school, we were once again made aware that consent is always the worst conceivable home. Use something else - anything else, just use something else. For example, the exercise of authority.
Public authorities should simply never think of consent first, but always start exercising authority. Thus, it is often assumed that special legislation in the social, school or service areas must be assumed to be fully sufficient for the processing of personal data that is relevant and necessary to carry out the tasks that are the purpose of the special legislation.
And then the message was centralized! Centralize internally so that it is never the individual caseworker to decide on the GDPR, the risk assessment and what needs to be addressed:
The should after Datatilsynets view should not be the individual pedagogue, health nurse or case manager who is tasked with documenting legal handling of citizens' data. The municipality must ensure that correct processing of personal data in daily work is supported both technically and organizationally.
Datatilsynet also drew attention to the fact that KL should take the lead with a code of conduct so that the municipalities feel more secure in the day-to-day application of the regulation:
One possibility is also that KL draws up a code of conduct. A code of conduct is a set of guidelines that should help ensure that the authorities that adhere to the code apply the data protection rules correctly.
In relation to the data processors, the message was also central: this applies especially to the conclusion of data processing agreements and supervision and control. KL can do a lot here. Saw the ball back on KL's course half. KL states:
Municipalities find it extremely resource-intensive to comply with the GDPR requirement that they - or expensive auditors on their behalf - must supervise their data processors. For each municipality, there are several hundred agreements. In addition, many municipalities have to carry out exactly the same control with the same data processor, which does not increase data security.
The answer from Datatilsynet seems to be right for:
When you process personal data, and especially when these are passed on to others, including data processors, a responsibility is included, e.g. to supervise its data processors. This is a specific requirement according to the regulation. To facilitate this work has Datatilsynet has published guidance specifically related to supervision of data processors. It appears, among other things, of the supervision's guidance, that the data controller can advantageously organize its supervision on the basis of the risk assessment that the data controller has carried out. How often and how data processors must be supervised can therefore vary according to the risk to citizens' rights and freedoms. Also in this context applauds Datatilsynet possible cooperation between the authorities.
If the municipalities just want more time for the hot tasks, you have to call for pooling the cold. Then it is also easier to point out that the bill should be passed on to the state, since the expense of the cold is not exactly defined by the level of service and local decisions, but by legislation that comes from a long way. But we may now be too optimistic here. Centralizing IT is usually not that easy even.
However, it must be remembered here that this is not a matter of centralizing IT in the traditional sense. It's just the compliance part that needs to be assembled. And it must be possible. This can be done in a very impractical way by sharing information digitally - it can also be done by creating a special GDPR-shared service for the municipalities with a defined task portfolio.
As everywhere where compliance pops up on the horizon, after outsourcing IT (without considering the consequences of compiance), one finds that the technicians in the basement need to be quickly replaced by grinding animals in the hallways. No one has said it should be easy - and it never will be. It's just getting started!