On 25 May next year, the new General Data Protection Regulation (GDPR) comes into force. The regulation will apply directly as a new law, replacing Sweden’s Personal Data Act (PUL). So what is important for you to know and what actions might you need to take?
Lawyers familiar with the issue say that generally speaking that the businesses that have taken this into account and implemented PUL have done the spadework for implementing GDPR. However, we know from experience that many organisations – both private and public-sector – have not bothered with it because the sanctions have been practically non-existent under a toothless Datainspektionen (Data Protection Authority) without the necessary mandate.
Under the new GDPR, a whole lot changes, even if certain aspects are extremely similar to the PUL of today. One of the main objectives of the new GDPR is to bring about harmonisation in the EU, to include technological development and the new social media (Facebook, Instagram etc.) and to give EU government agencies like Sweden’s Data Protection Authority much more muscle to supervise and issue heavy fines to businesses failing to comply with the law.
CHANGES IN AND TIGHTENING OF THE LAW
To summarise, the GDPR represents changes to and tightening of the law as follows, compared to PUL:
- Strengthening of the rights of the individual
- Stronger protection for the rights of minors (children) and processing of their personal data
- Increased responsibility for controller – e.g. personal data files in municipalities or a customer clubs in private trading companies
- Increased responsibility for processor – e.g. sub-contractor to controller
- Accountability – the requirement for a business to be able to demonstrate (prove) that it complies with the new GDPR, e.g. by keeping a register of all personal data processing actions
- “Privacy by design”, which in practice requires controllers from the outset to maintain, via system adaptation and development, the level of protection relative to the risk in the processing of personal data in line with what is prescribed by the new regulation
- Appointment of a “data protection officer” with a more formal role within the organisation That is, a senior role with a specific mandate and independent of the organisation’s management (roughly speaking, similar to the role of an auditor in finance)
- Increased powers for sanctions and greater supervision of GDPR compliance
- An intention to move away from personal identity numbers (or the equivalent in other EU countries) as a parameter of identity
DATA PROTECTION OFFICER– NEW PROFESSIONAL ROLE
According to the above, the data protection officer will have a central and important role in organisations handling a high volume of personal data, with the emphasis above all on personal data of children. To summarise the role of the data protection officer:
- To be appointed on the basis of professional qualifications, expert knowledge and ability to perform the duties involved (i.e., a senior individual with authority and integrity)
- To act impartially and independently and to have sufficient resources to perform his/her role
- To participate, correctly and promptly, in all matters relating to data protection
- To report directly to the highest level of management
MORE SPECIFICALLY AND IN OPERATIONAL TERMS, THIS MEANS THAT THE DATA PROTECTION OFFICER HAS THE FOLLOWING DUTIES:
- To provide information and give advice
- To oversee compliance with GDPR and controller’s strategy for protection of personal data
- To give advice on and supervise implementation and perform impact assessments
- To work with and serve as a point of contact for the Swedish Data Protection Authority.
- To serve as a point of contact for those registered in the organisation’s databases
- Within its assignments, to take account of the risks associated with processing of personal data (nature, scope, context, purpose)
- Let’s then go and look at the case of those who have themselves chosen to register their personal data (mostly private sector) or are registered “by default” for example by residing in a particular municipality. How have the rights of individuals who have provided their personal data been strengthened:
- Detailed, unambiguous, understandable and easily accessible information (on request)
- Data portability (e.g. extended legal support and easier for customer to switch supplier)
- Limit on processing (restrictions on organisations’ freedom to link personal data à la “Big Data” for marketing purposes)
- Oppose data processing (make objection)
- The “old” rights remain in place but are more detailed and their definitions tightened, including the right to obtain a register extract, correction, deletion etc. The controller must be able to respond quickly to a request from the personal data provider (e.g. customer or purchaser in a municipality)
CHECKLIST OF ESSENTIAL ACTIVITIES
How then should private and public sector organisations prepare for the new legislation? The short answer is that “they should have started yesterday”, but that’s all the more reason for starting today and not tomorrow. If unprepared, they could make a checklist of the following activities and work through them:
- Devise a strategy on how the organisation should deal with data protection issues
- Make an inventory of the organisation’s internal routines, policies, guidelines etc. What is missing? What needs to be added?
- Map all processing actions for personal data
- Check legality and compile a register of the processing actions
- Appoint a personal data officer (data protection officer)
- Ensure that the personal data officer has the required resources for performing his/her duties
- Produce new templates for data transfer agreement, risk analysis and impact assessment
- Develop routines for reporting and informing about data protection incidents
- Review information on those registered
- Develop “channels” and processes to enable those registered to exercise their rights via a simple routine
- Work on data protection issues preventively, on an ongoing basis and follow up outcomes
- Monitor developments and any legal cases under the new legislation
If you have any questions on IT and ICT, please contact us. If we can’t answer ourselves, we have partnerships with highly-reputed lawyers specialising in the area.