There are 13 points all companies that handle personal data should think about with the change in the law (GDPR, General Data Protection Regulation) which came into force on 25 May 2018.
The General Data Protection Regulation will replace the law we have today, PUL Personal Data Act, there will also be some major changes and completely new provisions.
The responsibilities and obligations of the person responsible for personal data or the personal data assistant will be expanded and the rights of the registered person will be strengthened.
1. Is everyone involved in your organization aware of the new data protection regulation?
Decision makers and other relevant personnel within your organization should be aware that the General Data Protection Regulatiom will replace the current Personal Data Act. You need to find out exactly how your organization will be affected and which areas you need to work more with.
2. What personal data do you handle?
Documentation needs to be made about what information you handle, in what way it is collected and if you disclose this information to a third party. If at any time you have disclosed incorrect information to a third party, the third party must be informed so that their register can also be corrected. Documentation of these parts, together with much else, shows that you comply with the provisions of the regulation.
3. Do you use abuse rule today?
The abuse rule means that the exception of the Personal Data Act has been used to process personal data in unstructured material, e.g. running text. It has been considered allowed if it does not constitute a violation of the data subject’s privacy. This rule will disappear when the regulation enters into force.
It is important that those of you who have used this rule before examine how you can process the data in order to comply with the provisions of the Regulation. Do you have a legal basis for the treatment? And do you inform the registered person correctly?
4. What changes do you need to make to the information you provide to the registered person?
When you collect information, you already have an obligation to inform about your identity and what you will use the information for. The new regulation contains extended requirements for what information is provided to the registered person:
- Legal basis for treatment
- How long the data will be stored
- That you have the opportunity to file a complaint if you think that the information has been processed incorrectly, this is done to the supervisory authority (Datainspektionen)
It is important that the information is concise and easy to understand.
5. How should you comply with the rights of the registered person?
Review procedures for how you can fulfill the rights of registered persons that are strengthened in the new regulation. It will largely be the same rights as today but with a reinforcement, e.g. how you delete personal data and how you disclose data upon request. The most important rights for the registered persons are:
- Get access to their personal information
- Get incorrect information corrected
- Get their information deleted
- Be able to object to the information being used for direct marketing
- Be able to object to the data being used for automated decision-making and profiling
- Have the ability to move the data (data portability)
As a company, you must be able to provide information to the registered person about what information you process, this must be done free of charge.
A novelty in the regulation is the right to data portability, the intention is that it should ease the transfer of personal data from one organization to another, in the event of a change of supplier or the like. For you as a company, this means that you must be able to provide the information in a commonly used and machine-readable format. Something that is very important when it comes to data portability is to ensure that the request comes from the registered person, therefore investigate what type of solution you may need to ensure it.
6. With what legal support do you process personal data?
Find out what different types of information you process and what legal support you do this with, document your conclusions. It is not uncommon for there to be several different alternatives for why personal data is processed, with the new regulation a requirement that this information be given to the data subject at the time of collection. The legal bases for the processing of personal data are largely unchanged.
7. How do you obtain consent?
How does the consent process work when collecting personal data and where is the information stored? It is an important part of the new regulation.
Consents may not be approved e.g. with a pre-checked box, the registered person must check it himself when collecting the information. The Data Protection Regulation requires that a consent must be presented at a possible inspection.
8. Do you process personal data about children?
If your organization processes personal data concerning children under the age of 16, the consent of a guardian is required. Keep in mind that you must also be able to show the guardian’s consent when requesting. According to the new regulation, children deserve special protection, so all information aimed at children must be written in a way that children understand.
9. What should you do in the event of personal data incidents?
The regulation contains new provisions on what you need to do when detecting data breaches and data loss. Review procedures for how the intrusion is detected, reported and investigated.
Infringements where it can be suspected that the registered person’s rights and freedoms are affected must be reported to the supervisory authority within 72 hours. If the incident may lead to the data subject being affected by an identity theft, discrimination, fraud or the like, the registered person must also be informed so that he or she can take the necessary measures.
Please note that the time for making a report is very short, review who is responsible for making a report in your organization so that it can be made within the set time.
10. What are the specific privacy risks associated with your treatment?
Think about whether your processing of personal data is associated with risks to the registered person’s freedoms and rights. If this is the case, you may need to make an impact assessment regarding data protection. If a risky personal data processing is performed, an analysis must be made of what consequences the processing may have for the registered person. Examples of risky processing can be registers of sensitive personal data or camera surveillance in a public place. If the risk is high, you must consult with the supervisory authority before starting treatment.
Please note that in the event of risky processing, you must appoint a data protection officer.
11. Have you built personal data protection into your IT systems?
When you change existing systems or develop completely new systems, you should take the Data Protection Regulation into account. By taking into account principles such as not collecting more information than necessary, not storing information longer than necessary and using only the information collected for the original purpose, you can more easily follow the rules from the beginning and prevent unnecessary future costs. The incorporation of security in IT systems is called Privacy by design and is explicitly regulated in the regulation. What measures are needed depends entirely on the type of information you as an organization process and for what purpose and what risk it may entail for the data subject in terms of freedoms and rights. An example of a measure could be data minimization, which means processing only the data that is necessary for the purpose.
12. Who is responsible for data protection issues in your organization?
Locate where in your organization the responsibility lies for data protection issues. If necessary, according to the regulation, you also need to appoint a data protection officer. This applies, for example, to public authorities and organizations that carry out risky treatment. The person appointed must be informed about data protection and the measures and requirements that the regulation entails. The person must also be empowered to carry out his or her assignment in an independent and efficient manner.
At the Data Inspectorate, you can read more about the role of the Data Protection Officer (current personal data representative). There are also educations to participate in.
13. Do you have operations in several countries?
If your organization conducts business in other EU countries, you should find out which supervisory authority in each country is responsible for the supervision of personal data you process. A main rule in the regulation is that an organization only needs to answer to the data protection authority in one of the EU member states. It is therefore important for the organizations that operate in several countries to find out which data protection authority is responsible for the specific data that you process. Simplified, this is determined with the help of where your central business is located or where decisions about personal data are made. In organizations where decisions are made at the head office, this does not normally create any major problems. This can create some problems in organizations with scattered areas of responsibility where decisions about personal data are made in different places. It is therefore important to map out where in your organization the most important decisions regarding personal data processing are made.