On September 18, 2023, the Danish data protection authority (Datatilsynet) published new guidance on preventing unauthorized access to personal data by employees within an organization. The Datatilsynet noted that whereas it may be difficult for organizations to discover when employees abuse access to personal data for non-work-related purposes, the extent can be limited through systematic rights management, good control procedures, and effective enforcement by the data controller.

Measures to prevent unauthorized access

In particular, the guidance outlines the following measures organizations can take to minimize the risk of unauthorized access to personal data by employees:

• conducting a risk assessment to evaluate the appropriate measures for the specific organization;
• managing and controlling access rights, ensuring employees only have access to information for which there is a work-related need;
• logging employees' use of personal data including actions such as reading, searching, deleting, changing, and login attempts;
• implementing good control measures such as continuous monitoring of employees' use of systems that process personal data;
• informing employees about existing control measures and the consequences of breaking the rules; and
• enforcing control measures by sanctioning employees who abuse access to personal data, for example by imposing a fine.

Furthermore, the guidance notes that in some cases, where an organization becomes aware of unauthorized access by an employee, the employee should be reported to the police.

You can read the press release here and the guidance here, both only available in Danish.