Blog entries

The new general data protection regulation will soon enter into force

"If you are not directly involved in projects related to the data protection regulation, it is still important that you understand the impact it will have on your work," Arnold Boon writes on his blog.

I hope that most of you already know that a new general data protection regulation will enter into force in Denmark and the rest of the EU on 25 May this year. At AU, we are working hard on the major task of preparing the organisation to meet the new requirements that the regulation will introduce.               

But what is the data protection regulation actually? And what are we doing at AU to ensure that we are in compliance with it? And what can you as an employee do to help ensure that we follow the rules? These are all questions I will answer in this month's blog.

The general data protection regulation in brief

Many of you work with personal data on a daily basis. This applies to the administration, but also to research and education. Personal data covers many different types of information, such as name, age, address, telephone number, civil. registration number (CPR no.) illnesses, payroll data, etc. 

The aim of the new general data protection regulation is to ensure that personal data is handled, stored and processed in a secure manner. The regulation replaces the current Act on Processing of Personal Data (Persondataloven), which has been in force since 2000, and will tighten up a number of rules for handling personal data.

I understand the general data protection regulation as a paradigm shift in personal data processing – and I am not alone in this. Put simply, according to the regulation, personal data is not 'our' (the university’s) data. Personal data is information that we have 'on loan', and that is why we must take good care of it.

Fundamentally, I think that this is a positive development that will safeguard the personal data of each citizen in a society in which data plays an increasingly important role, and in which technology offers both new opportunities and new dangers.

What are we doing at AU to get ready?

At AU, we have been working to prepare for the introduction of the new regulation for quite some time.

One of the most important tasks is to review all data flows in the research groups, in connection with our degree programmes and in the administration. At the same time, we are identifying where we need to make an effort – in other words, where we need to adapt our IT systems and our procedures to meet the new requirements. This is a colossal job.

In relation to research, it is particularly important that we register all research projects which involve personal data. In relation to our degree programmes, we also need to clarify how we need to handle personal data, for example in Blackboard and in the work of the boards of study.

And generally, we all need to clean up our inboxes, our desktops and our network drives, to ensure that we haven’t saved any sensitive personal information that we no longer need to use in our work.

What can you do as an employee in the administration?

Quite a number of administrative staff members are already fully or partly involved in the process of getting ready for the implementation of the general data protection regulation. I would like to acknowledge the excellent work that has already been done.

If you are not directly involved in projects related to the data protection regulation, it is still important that you understand the impact it will have on your work. For example, you will find a lot of extremely relevant information on our website, where a special section has been created. Among other things, you can read about how to handle emails and store personal data.


AU also offers a course on good administrative practice which is open to all administrative staff, and before long we will also be offering e-learning which will be available to all employees.


If you have any questions about the general data protection regulation, I encourage you to speak to your immediate supervisor or or one of the representatives from the data protection team, whose contact information is available here: