Danish Data Protection Authority reveals 2024 supervisory focus

AI, automation, and security at municipalities and regions among the areas the Authority will zero in on.

A continuing supervisory focus on AI, the monitoring of employees, and a fundamental review of data processing security at municipalities and regions are among the Danish Data Protection Authority’s (Datatilsynet’s or Authority) supervisory activities for 2024.

In total, 12 focus areas has been outlined, with both new and recurring themes present.

AI and automation

The continuing expansion and development of AI has led to Datatilsynet keeping it as an area of priority for this year. The Authority indicated that the development and growing adoption of generative AI was a driving factor, particularly because it is predicted to have a big impact on future ways of working. The authority warned that the technology “entails special risks for the citizens whose information is processed as part of the development or use of these solutions”. 

Another area where AI is increasingly under scrutiny is the healthcare sector, where the technology is used to support decisions connected to patient treatment. But using these types of solutions “could mean great risks for citizens”, the Authority said.

As Robotic Process Automation (RPA) solutions are also becoming more widely adopted by organizations to automate business and work processes with, Datatilsynet has decided that it will need to oversee this area too. Even though such solutions often “generally entail fewer risks for those registered” the Authority says that there’s a chance that such also could also introduce “special security issues”.

Connected to the RPA technology, Datatilsynet also says that it has witness many examples of personal data breaches in recent years, “where inadequate rights management has increased the risk of misuse of personal data”. That includes when a hacker has been “given a better opportunity to access information inside the system or where employees access personal data without authorization out of curiosity or to obtain a form of personal gain without risk of discovery”. 

Therefore, Datatilsynet has decided to also focus on public and private data controllers – because as gatekeepers, they can do more to prevent breaches and abuse from that kind of technology.

Security at municipalities and regions

Areas that will continue to be subject to greater supervisory focus will be data security at municipalities and regions as well as municipal web archives.

After receiving several complaints, the Authority published guidelines for municipalities’ publication of information in web archives in 2021, and will now also check on how these institutions have implemented these.

[AI technology] “entails special risks for the citizens whose information is processed as part of the development or use of these solutions”. 

Danish Data Protection Authority

Datatilsynet has also carried out inspections on basic processing security in many of the country’s municipalities and regions since 2020, which has increased the number of physical inspection visits, criticism and injunction decisions, and criminal proceedings. It has also resulted in new guidance initiatives.

This year, the focus will be on following up in several areas where supervisory efforts had earlier uncovered problems with data processing security, including some instances where cases have been handed to the police – including the encryption of portable data media, the use of scanning tools and the preparation of impact analyses.

A new inspection, for which details have yet to be disclosed, will also be carried out this year as part of the Authority’s maturity inspection of municipalities.

2024 supervisory activities

During 2024 Datatilsynet’s supervisory activities will zero in on:

  1. Use of AI and automation – Supervise the use of AI by public and private organisations; supervise the use of automation solutions, generative AI solutions and AI solutions more generally within the health sector.
  2. Monitoring of employees – Inspect and map out how employees are monitored in both private and public sectors.
  3. The data subject’s right of access – Together with the European Data Protection Board and as part of the coordinated Enforcement Framework (CEF) between the European supervisory authorities intended to harmonize and strengthen the enforcement of GDPR, this year’s focus will be the data controllers’ processing of requests from the data subject.
  4. Housing associations – The right to access or deletion received by cooperatives, owner’s association or housing company responsible for the data, as well as housing associations’ use of television surveillance.
  5. Municipal web archives – Scrutinize how municipalities have implemented guidelines that were published in 2021.
  6. Private schools – Legal authority and the handling of access and deletion requests.
  7. Online and physical shopping – The processing of personal data while shopping online and in stores.
  8. Rights management and prevention of misuse of access to personal data – Which will involve a focus on systematic rights management, adequate control procedures and effective comopliance on the part of the data controllers.
  9. Basic data security at municipalities and regions – Continue to follow up on areas which have problems with data processing and the security of data.
  10. Processing of personal data in pan-European information systems – Examine the processing of personal data by authorities in connection with the use of several pan-European information systems.
  11. The Law Enforcement Act – Carry out supervisory activities in relation to the compliance of law enforcement authorities with a number of the provisions of the Data Protection Act.
  12. The PNR Act (the legal framework for the collection and processing of passenger list information that airlines hold by the police) – The authority will supervise police compliance with the law’s provisions.