The new General Data Protection Regulation (GDPR) replaces the Swedish Personal Data Protection Act of 25 May 2018. It deals with how companies, organisations and government agencies handle personal information, how it is stored and why. Your personal protection is strengthened and now you have the right to be forgotten, in other words, not to appear on any register. As a person, you also have the right to retrieve your data, so-called Data Portability.
Our tips for you (and your responsibility) include:
- Ensure that everyone in your organisation is familiar with GDPR and what it means in general.
- Take an inventory of all the personal information that your company processes and stores. Ensure that you have a summary of why and in what way. Be transparent.
- Remove all duplicates and other unnecessary information.
- Learn the difference between structured and unstructured information.
- Appoint a Data Protection Officer and implement procedures for detecting hacking and data leaks.
- Create procedures and tools for being able to delete personal information in all of your systems or providing stored information to an individual.
- Demand active consent from subscribers to newsletters, for example. Specify what your are requesting consent for. Save the confirmations.
- Learn the difference between the right to withdraw consent and “unsubscribing”.
- Personal data is a person’s right, in other words, it does not belong to companies or organisations. It is what makes a person a private.
- Do not collect data that you do not need.
- Consent does not include silence, pre-checked boxes and/or inactivity.
The personal data controller and the personal data processor must create a support agreement. According to the Data Protection Act, it must include:
- Procedures for potential data hacking.
- Procedures for how to report any data hacking to the Swedish Data Inspection Board or other agency.
- Documentation about which type of personal data you are storing, how are you are storing it and why you are doing so.
Interesting and useful links:
General information about GDPR from the Swedish Data Protection Authority
About GDPR for companies from the Swedish Federation of Business Owners
For municipalities and county councils from Swedish Association of Local Authorities and Regions, SKL
Last but not least – don’t stress.
Most people who we are talking to are working hard to understand what this new legislation will mean for them in practical terms. Many of the statutes are not formulated yet. It will take time until everything is in position. But start working on your procedures now when things are quiet.