Datatilsynet issued a cloud guide in Danish and English in March this year. It was not only about transfer to the USA/unsafe third countries, although one would think so based on what was subsequently focused on among the wise minds.
For example, it was also about knowing your final processor (where is your data?), That you must not let the processor use data for your own purposes, and that you must split your risk assessment into one that deals with data protection and one that deals with treatment safety.
Datatilsynet have today reports out that two public authorities are looked after in the seams. And next month, it will be overseen by private companies' cloud use:
"The two inspections in the public sector have just begun, but the area will be subject to scrutiny Datatilsynets continued focus.
Datatilsynet will thus also supervise the use of cloud in private companies. These will be implemented in the coming month.”
Datatilsynets announcement comes in the wake of the fact that KL 8 June, i.e. a few days ago, has changed its view in relation to transfers in the municipalities.
Now the pipe has, so to speak, got a different sound. Gone is the confidence that the agreement between the EU and Biden will probably fix everything.
Previously, KL sounded namely thus:
"We have shouted cheers here. It's no secret, because it's a huge, huge relief. "
KL stated on the same occasion:
“It is especially on the cloud where we have Google, Microsoft and Amazon. Then there is Facebook, as social media. But all the big ones are American, and almost all municipalities use Microsoft, where there are also transfers to the USA. There has been a discussion about whether it is only on support. But even if it is only on the support, and even if it is only on the support in special situations, then there are also - from a legal point of view - transfers. ”
Now KL recommends the usual steps everyone who clouder in a third country should days.
It looks like a coordinated effort: New guidance, new announcement and final oversight.
What is the worst that can happen? In our opinion, it is not the fines - the public sector can not get as large fines as private companies. The worst must be an injunction to no longer use a system in a third country. Look at this Example from Iceland (previously mentioned here on since).
Whether you are public or private, you should thus get your mapping, risk assessment and data processor agreement and any transfer basis in place.
You can sharpen it even more: If you have a system on which all or significant parts of your activities rest and which involve transfer to the USA, you lack your risk assessment, and you need to review the data processor agreement, then it must be on high time to get started with the work in relation to just those systems. Can you tolerate a ban?
In addition, it is clear that if you have sensitive personal information such as health information in an insecure third country, and you may not even have the best data processor agreement - it may not have been negotiated at all - and you have forgotten to update your risk assessment, then you should probably also respond now here.
In conclusion, it is not just the GDPR that is pushing for much more compliance and information security. NIS 2 does that also. DORA does also. Other sets of rules on the way could be mentioned.
Jacob George Naur