Telenor ASA Faces Sanctions for Deficiencies in Data Protection Officer Scheme & Internal Controls

Key Takeaways

• Telenor ASA Fined for GDPR Violations: The company was fined 4 million NOK for deficiencies in its Data Protection Officer (DPO) scheme and internal controls, failing to meet GDPR requirements.
• Lack of DPO Independence and Reporting: Telenor failed to document the DPO’s independence and did not establish a direct reporting line to top management.
• Company Response: In light of the findings, Telenor announced the termination of its DPO scheme and will reassess its obligations under GDPR.

Deep Dive

Telenor ASA has recently come under fire for failing to properly handle its Data Protection Officer (DPO) responsibilities. The Norwegian Data Protection Authority (Datatilsynet) has slapped the telecom giant with a fine and issued a reprimand following an investigation into the company’s handling of privacy compliance.

The investigation, sparked by anonymous tips, uncovered several worrying gaps in how Telenor managed its DPO role and internal controls. Key findings included the lack of adequate documentation for the DPO’s independence, the absence of a clear reporting line to top management, and a general failure to establish necessary organizational measures for privacy protection. Simply put, the company didn’t have the right structures in place to ensure its data protection practices were up to par.

As a result, Telenor is facing a 4 million NOK (about $379,701) fine for its failure to implement the appropriate measures to safeguard personal data in accordance with the General Data Protection Regulation (GDPR). The company has also been reprimanded for not ensuring the DPO had direct access to senior leadership – a critical aspect of maintaining transparency and accountability in data protection practices.

What’s interesting here is the company’s response. In the wake of the decision, Telenor ASA announced that it would be dismantling its current DPO scheme altogether. This decision seems to indicate a shift in how the company plans to address the issue moving forward, with an intention to reassess whether they are even required to have a DPO in the first place. And if they do, they will need to restructure the role, ensuring it has the necessary authority, independence, and clarity on reporting lines.

While Telenor’s failure to meet the mark on data protection could have led to far more severe consequences, it’s worth noting that no specific harm to individuals' privacy was identified during the investigation. The absence of tangible damage to data subjects was factored into the fine’s amount. Moreover, the long processing time of the case was also considered when determining the final penalty.

This isn’t just a story about one company being reprimanded. It’s a reminder to all organizations about the importance of maintaining clear, effective structures around data protection. The DPO isn’t just a box to tick on a compliance checklist—it’s a role that must be independent, empowered, and integrated into a company’s highest decision-making processes.

The case also highlights how privacy regulations like the GDPR are being enforced across borders. Telenor’s case wasn’t just dealt with by Norwegian authorities; data protection agencies in Sweden and Denmark were involved as well, reflecting the increasingly global nature of data privacy oversight.

Telenor now has a clear mandate to get its act together, both in terms of internal controls and the structure of its privacy practices. They’ve been instructed to evaluate whether they’re legally required to appoint a DPO, and if they are, they must do so with a clear framework for its role within the organization. The company must also revise its data processing protocols to ensure they’re aligned with current GDPR requirements.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.