Logo and page links

Main menu

Internal control

A well-functioning internal control system is crucial to ensuring that personal data are processed in the proper manner.

 The Norwegian Data Protection Authority has prepared a guide to internal control and data security, which is available from datatilsynet.no. The guide helps the enterprise through the process of introducing internal control and data security measures. In the following, we will discuss some of the key routi

A well-functioning internal control system is crucial to ensuring that personal data are processed in the proper manner. The Norwegian Data Protection Authority has prepared a guide to internal control and data security, which is available from datatilsynet.no. The guide helps the enterprise through the process of introducing internal control and data security measures. In the following, we will discuss some of the key routines that need to be put in place before cloud computing is implemented.

Identify the enterprise’s data processing activities

The enterprise must identify which personal data processing activities are undertaken, and which personal data are included in each process. This overview is necessary if the enterprise is to fulfil its obligations. It also forms the basis for the enterprise’s security strategy and objectives, and will underpin all its risk assessments.

What the overview should contain

The overview should give brief details of:

  • which data are processed and why
  • the authority under which the data are processed
  • how the personal data are classified – are they sensitive or not?
  • technical security measures, indicating zones or networks
  • where the data are stored and whether they are transferred via external media
  • the scope of the personal data
  • any departments that process the personal data
  • system owners and/or data owners

Routines for internal control

The enterprise must have internal control routines in place. Some of the most relevant routines cover:

  1. access
  2. correction and addition
  3. deletion
  4. information
  5. consent

More detailed information about routines and how to develop them can be found in the guide to internal control and data security at datatilsynet.no.

Please note that the same duties apply to data controllers irrespective of whether they use cloud computing or not.