Norsk Forening for Etterforskning og Sikkerhet

NFES skal være en interesseorganisasjon for personer eller foretak som utfører etterforskning, utredning, rådgivning, sikkerhetstjenester. Det skal arbeides for at NFES skal være den naturlige samarbeidspartner for myndigheter, medier og samfunnet for øvrig. NFES skal stå for høy troverdighet, skape normer for etikk, faglig nivå og utvikling. NFES skal arbeide for autorisasjon av etterforskere i Norge. NFES skal ha etiske retningslinjer.  (utdrag fra vedtektene §2)

Hva er GDPR

Den nye personloven GDPR (General Data Protection Regulation) ble vedtatt av EU i 2016 og tredde i kraft i EU 25. mai 2018. Forordningen vil også gjelde i Norge som    EØS land trolig 1. juli 2018.

De viktigst endringene er :

  • Bedrifter og virksomheter får et større ansvar for å ivareta personvernet til kunder og brukere.
  • Borgere får rett til å motsette seg noen typer profilering, der personopplysninger blir brukt til å analysere og forutse adferd.
  • Det stilles strenger krev til forståelig språk og åpenhet om virksomhetens behandling av personopplysningene.
  • Tydligere retningslinjer for når bedriften kan bruke personopplysninger til andre formål enn det de ble samlet inn for.
  • Alle offentlig virksomheter , samt private virksomheter som behandler sensitive personopplysninger i stor skala eller som systematisk overvåker europeiske borger i stor skala, vil bli pålagt å opprette egne personvernombud.

Ny personvernlov (GDPR)  General Data Protection Regulation

Ny personvernlov (GDPR)  General Data Protection Regulation

  • Trer i kraft i EU 25. mai. I Norge vil EU-forordningen gjelde fra 1. juli.
  • Alle virksomheter som samler inn eller bruker personopplysninger om EU/EØS-borgere må følge reglene.
  • Brudd på reglene i GDPR kan bøtelegges med inntil fire prosent av foretakets årsomsetning, inntil 20 millioner euro.

Hovedtrekk

  • Alle selskaper skal ha en forståelig personvernerklæring.
  • Alle selskaper skal vurdere risiko og personvernkonsekvenser.
  • Alle selskaper skal bygge personvern inn i nye løsninger.
  • Mange bedrifter må ha eget personvernombud.
  • Loven gjelder også virksomheter utenfor Europa og underleverandører.
  • Alle selskaper skal ha rutiner for avvikshåndtering.
  • Alle avvik skal varsles Datatilsynet. Det blir ulovlig å skjule avvik.
  • Alle må kunne oppfylle borgernes nye rettigheter.

Kilde: Datatilsynet

IKD GDPR Guidance

Relatert bildeThe IKD aims to provide its member organisation with guidance to assist in getting the wider affiliated practitioners GDPR ready.

To this aim the IKD has assessed that investigators in private practice need to be familiar with the following:

 Data Audit (data flow)
 Data Processing Statement
 Privacy Notice & Cookie Policy (where data is collected on web site)
 Personal Data Audit Trail (Case Management)
 Data Protection Impact Assessment (DPIA)
 The construction of a case Proposal and how to include the DPIA
 Model Terms of Business (Investigator and Client)
 Model Terms of Business (sub-contractor)
 Security of Data in transit (encryption -v- password protected)

A series of documents are provided to go some of the way. These are the documents prepared for use by ABI (UK & EU) members and follow a Seminar last February, which introduced the Compliance Documentation. The ABI is currently holding a series of one-day intense workshops for small groups of its members when the GDPR Compliance is discussed in detail. It is highly recommended that IKD member organisations do likewise for their respective members. The WAD is holding a round table discussion at its mid term meeting in Barcelona at the end of April http://www.wad.net

In the meantime, the IKD is anxious to provide members with as much assistance as is reasonably possible to get everyone started with the adjustments to their respective members’ business models in compliance with the GDPR requirements.

The series of documents prepared for ABI members’ use are shared here. This is however an on-going project and updates will be required frequently.

This communication provides you access to the documents thus far available, which it is hoped will be of some assistance to all IKD members.

1. The ABI – A go to guide on GDPR, click here
2. The ABI adopted ICO Guide to GDPR Documentation, click here
3. The ABI DPIA narrative, click here
4. DP Audit sample template, click here
5. The ABI Privacy Notice & Cookie Policy, click here
6. Model ABI DP Statement, click here
7. Personal Data Audit Trail (Spreadsheet Case Management), click here
8. Model Terms of Business (Investigator and Client), click here
9. Model Terms of Business (sub-contractor), click here

The industry practice for inter-agency assignments has thus far been largely void of the formality now required under GDPR. A significant change will be obtaining the client’s permission to sub-contract in the first place, when the processing of personal data is involved; this is dealt with in the ABI Model Terms of Business (clause 12.3). However, it is necessary for Investigators to ensure that a formal written contract is also in place with all sub-contractors and that the contract covers the GDPR obligations. The ABI has designed a default position for its members when sub-contracting to another ABI member. This has been achieved by imposing the ABI Model Terms of Business (sub-contractor/Member, item 9 above) in the ABI Bye-laws which apply by default in the absence of an existing GDPR compliant contract between the members. To see the wording used please look at Bye-law 2B, click here.

I appreciate there is quite a lot to consider and that there may be some differences in some jurisdictions but the gist of the GDPR requirements are the same throughout the EU and beyond.

Hele dokumentet i sin helhet kan leses og lastes ned under.

ABI GDPR docs for IKD