Sweden was the first country in the world to adopt a national data law in 1973. And the protection of personal data has just become more and more relevant over the years. Today, it is the General Data Protection Regulation (EU 2016/679), GDPR, that should protect people from having their privacy violated when personal data is processed by others. It replaced the Data Protection Directive (95/46/EC), which was in force from 1998 to 2018.
Any processing of data directly or indirectly attributable to a natural person is subject to the rules of the GDPR. It could be anything from logging and storage to transfer and deletion – and everything in between. Most of GDPR’s concepts and principles are the same as under the Data Protection Directive. But the GDPR also added new requirements and liabilities for the data processor, significantly expanded the information obligation to the data subject, impact assessment for certain processing, incident management and reporting, privacy by design, data protection officer requirements in certain cases and – what has been discussed the most – sanctions and considerable fines for breach of the GDPR requirements.
A large part of being GDPR compliant is about documenting and analyzing your processing of personal data. You will need to consider and take actions based on the following questions:
- Do you know exactly what personal data is processed, for whom, for what purpose, by means of which suppliers, who they are disclosed to and how long they are kept?
- Have you really analyzed all systems where you process personal data?
- Do you have documented procedures and processes in place to ensure the proper handling of personal data?
- Do you have contracts in place with data processors (e.g. suppliers)?
- Do you meet the requirements of information obligation to those whose personal data you process?
- Have you performed and documented data protection impact assessments for your products and services?
EdmarLaw has extensive experience in personal data management and is specialized in this area. We can assist you to fulfill the requirements of GDPR. Contact us here.
Requirements to provide information
GDPR places significantly higher requirements on the information provided to the data subject than previously. The information shall be provided in connection with the collection of the personal data. It shall be easily accessible and written in a clear and plain language. The best thing is to provide the information in a data protection policy on the web page.
The data subject shall be informed of:
- the identity and contact details of the controller;
- the purpose of processing;
- the legal basis for the processing,
- what personal data is collected;
- who will access the personal data (subcontractors, partners, etc.);
- how long the data will be saved, and
- whether the personal data is processed in third countries (i.e. countries outside the EU);
The data subject shall also be informed of its rights granted in the GDPR. Among other things, the data subject has the right to access, change and delete its personal data. The data subject also has the right to request limitation of certain processing, the right to move its data to another provider (data portability), and the right to withdraw any consent at any time.
As a data subject, you have the right to know if personal data relating to you is being processed, and, if so, a right to access that personal data. Such a compilation should contain information on the data collected, what the purpose is, who has accessed the information, how long it should be saved as well as the data subject’s rights under the GDPR. The information must be compiled and submitted to the data subject within 30 days of the request.
EdmarLaw can draft your organization’s data protection policy in compliance with the requirements of the GDPR, or review your existing data protection policy, as well as assist you when you receive a request for a statement of your data records.
Privacy by design (built-in data protection) and privacy by default have previously been encouraged as good industry practice, so-called best practice. By GDPR, this has become a legal requirement. Privacy by design means taking into account the data protection rules already when designing IT systems and processes. It is a way of ensuring that the GDPR requirements are met and that the data subject’s rights are protected. The requirement for data protection by default means in short that the person processing personal data should ensure that personal data is not processed unnecessarily. For example, it may be that the default settings in a service are set so that no more information than necessary is collected, distributed, or displayed.
Data protection shall govern the entire life cycle of a system or service, from requests for proposal (RFP), feasibility studies, development, use and maintenance. It is therefore crucial to take the data protection aspects into account before time and money are invested in a new IT system or service.
Privacy by design not only provides an opportunity to ensure that the IT system or service meets the GDPR requirements, but it is also an opportunity to implement other legally strategic aspects of the development work. Built-in data protection can also simplify and minimize the manual efforts to be GDPR compliant. For example, a well-built solution with privacy by design focus can automate the requirements for data records and statements and thus enable transparency for the data subject.
EdmarLaw provides training in privacy by design aspects and can also help review your privacy by design when developing new IT systems and services.
Personal data must be deleted or anonymized when it is no longer needed for the purpose for which it was originally collected. Already in connection with the collection of personal data, information must be provided on e.g. the categories of data collected, for what purposes they are processed and how long the data is stored. This information must also be documented in an internal register of personal data processing to be updated on an ongoing basis.
Processes for deleting personal data place high demands on both IT systems and staff. EdmarLaw assists in the establishment of such processes and often reviews IT systems and services to ensure that they meet the legal requirements.
GDPR places high demands on an organization’s readiness to deal with incidents related to personal data management. A personal data breach must be reported to the Swedish Data Protection Authority within 72 hours unless the incident is unlikely to result in any risk to individuals’ rights and freedoms. What is a personal data breach? It is not only the loss of personal data in the event of unlawful hacking that must be reported. According to GDPR, any incident leading to accidental destruction or loss of personal data must be reported, unless the incident is unlikely to pose risks. A corporate computer lef behind or a stolen bag may need to be reported to the Swedish Data Protection Authority within 72 hours. Depending on the extent and sensitivity of the data, individuals affected by the incident shall also be informed. This places high demands on IT systems and procedures for incident management. It also requires an awareness among employees.
EdmarLaw assists in creating a process for incident management and training staff.
As a data controller, an organisation is responsible not only for its own processing of personal data, but also for the processing carried out by suppliers, so-called data processors. The choice of supplier must therefore also be made on the basis of GDPR criteria. We at EdmarLaw usually talk about a three-step model to ensure that data processors maintain a high level of data protection.
1. Due diligence from a data protection perspective
First, potential data processors should be subject to due diligence. It is easy to forget to weigh in data protection aspects in the procurement of IT systems and services. But with GDPR, it can cost you dearly. Before personal data is shared with a data processor, it is important to, among other things, find out where the personal data will be stored, who will have access to the personal data and whether the supplier uses subcontractors. By conducting a due diligence, the data controller can make an informed decision when selecting a supplier.
2. Data Processing Agreement
With a data processing agreement, the parties ensure that the personal data shared is handled according to the GDPR. There are extensive requirements on what a data processing agreement must include. EdmarLaw can assist in reviewing existing data processing agreements or draft new ones. We ensure that your data processing agreement both complies with the GDPR requirements and is tailored for your specific business cooperation.
The person responsible for personal data should also monitor that the data processor actually processes the personal data in accordance with the instructions of the data processing agreement. This can be done either through an on-site visit to the data processor, through reports from the data processor or by continuous supervision.
There are many requirements on a data controller providing access to personal data on its behalf. You don’t just need a data processing agreement with your suppliers in order to be compliant. Data subjects must also be informed, for example in the data protection policy, that their personal data is shared with data processors and who these are. Information on data processors must also be documented in the data controller’s own register of its data processing. EdmarLaw can assist throughout the process, from due diligence of data processors to the establishment of contracts and follow-up.
Some types of organizations must appoint a data protection officer under GDPR, but all organizations really benefit from having assigned responsibility for personal data related matters to an individual (or group of individuals). Public services (e.g. public authorities), organisations whose core activities are to deal with large amounts of personal data, and organisations handling larger amounts of sensitive personal data must all have data protection officers appointed. The data protection officer can be an internal or external resource. It shall have the necessary professional qualifications, as well as expertise in data protection legislation and practices. The data protection officer must remain up to date in this area.
It is the responsibility of the board of directors and the management team to ensure that the data protection officer has the resources and opportunities to carry out its work objectively. GDPR emphasizes the importance of the data protection officers ability to work freely without risking criticism in connection with its checks and analyses of the personal data processing in the organization. Nevertheless, it can be difficult to make comments as an employee that entail delays and costs for the organization. While an employee may have good insight into the organization’s activities, it may shy away from coming up with unpopular objections. Therefore, it may be preferable to hire an external consultant as a data protection officer.
The Data Protection Officer shall be involved in all matters relating to the protection of personal data, cooperate and consult with the supervisory authority, and inform and train employees in data protection.