A GDPR Primer for Swedish Firms

The European General Data Protection Regulation (GDPR) is a EU regulation for the protection of personal data and free movement of such data.  When adopted in May 2018, it will have the force of law across all 27 EU states, giving uniformity of data protection laws across all member states and significantly increasing penalties for non-compliance.

The GDPR requires a very systematic and comprehensive management of IT security and marketing and sales efforts, along with new processes for data protection management.

It will likely affect every department in your company.  There is a short preparation time left, and a wide area of coverage to manage.  In fact, IT analyst firm Gartner predicts that by the end of 2018, over 50% of companies affected by the GDPR will not be in full compliance with its requirements.

Non-compliance is a huge business risk – not only for customer experience and loyalty, but because the fines are very steep.

This Primer will give you a quick summary of the law and its impact on your business.  Contact us with any questions – and learn about our approach and recommendation on our website and in this blog post.

Background:

The Data Protection Ordinance (GDPR) was adopted by the EU in April 2016 and will take effect on 25 May 2018.  GDPR applies as a law in all Member States, including Sweden. The current data protection directive will be replaced in its entirety by the new regulation – previous compliance is no longer enough.

For Swedish firms, the scope and definition of what is considered personal information expand under GDPR while regulation on how to process it, contracts, and the need to demonstrate accountability requires thorough documentation and reporting.

The intent of the law is to benefit citizens. It was introduced to ensure a uniform level of protection for individuals throughout the European Union and to allow for the free movement of personal data across member states.  Another aim is to streamline cooperation and equalize penalties between supervisory authorities in the different member states – a benefit for any company with cross-border customers or partners.

Your Corporate Responsibility:

Any company that uses or processes “personal data” (which has a very specific definition under the law) for any purpose – customer service, business analytics commerce or otherwise – is responsible for compliant processes and practices.  The law covers both automated and non-automated data use – whether or not the processing occurs within the EU. 

The Definition of Personal Data:

The law includes a broad definition of personal data.  Although the definition is not too far away from current Swedish requirements, the new regulations also define processes and consent practices that may be different than what you use today.

The law defines personal data as: “Any information pertaining to identified or identifiable natural person, wherein an identifiable physical person is a person that can be identified directly or indirectly with reference to an identifier such as a name, identification number, location or online identifier or one or more specific factors Physical, physiological, genetic, mental, economic, cultural or social identity of the physical person.”

Summary of GDPR Compliance Requirements

The law is straightforward in intent, but complex in compliance because data used throughout most organizations is often complex and decentralized.  The law covers all personal data of all audiences, including cross-border data.

There are three core areas of compliance:

  1. Data Collection & Protection:
    The law requires data protection management, reporting and accountability mechanisms, including a requirement to notify data breaches, map data flows and conduct data protection impact assessments.  Your organization may be  required to have a Data Protection Officer (DPO).  Personal consent – the authority given by a customer or data subject to use his/her data – must now be given by a clear affirmative act.

    People have new rights under the law, including the right to be forgotten, data portability and to be informed of risk (data breaches). It is also important to be ready to address any consumer or employee questions or concerns from a customer service, web and app interface, and multi-channel experience standpoint. The promotion around citizen data protections is high – and your communications and responsiveness will need to be legally responsible as well as brand consistent.

  2. Breach Notice:
    Organizations will be required to notify authorities and customers about data breaches in prescribed methods and timeframes. The requirement for mandatory privacy risk impact assessments likely means annual privacy risk assessments to analyze and minimize the risks to data subjects. A risk-based approach must be adopted before undertaking higher-risk data processing activities.

  3. Data Use:
    Beyond consent, data portability and data use expirations, there are new legal obligations for the “protection of interests” of the data subject (the citizen whose data you have). Companies are required to protect interests that are of fundamental importance to the registered person, particularly when legitimate interests or fundamental rights and freedoms weigh heavier and require protection, especially for children.

Your Supply Chain is Also Affected

Business data is often shared or processed between companies, particularly with software platforms that are hosted in the vendor cloud or even with standard solutions like payroll management systems.

Consider providing a compliance checklist to all your suppliers and work out any process changes well in advance of the May 2018 deadline.  Make sure that their level of security matches your own, and ensure that removal of data beyond the assigned retention periods is compliant.  All your suppliers will also have to be compliant in their own right – having their own DPO and data breach process, for example.  Pay particular attention to cross-border transfer mechanisms (for example, binding corporate rules/model clauses) and whether they are suitable under the new regulations.

Ongoing Management Requirements

In addition to privacy and compliance training for all employees – with regular updates – companies will also need a data breach management plan.  It is critical to create and maintain an internal framework for accountability for both compliance and risk mitigation.  We recommend that every company improve transparency by instituting central documentation for data processing activities.

Once confident in their compliant systems and procedures, organizations will be able to apply for an audit which can lead to the issuing of an EU Data Protection Seal, which will be a five-year certification of its processes. The GDPR will be regulated and enforced by national data protection authorities, including the Datainspektionen in Sweden.

Setting Compliance Priorities

This is a very wide reaching regulation.  If you have not already started, you are behind the curve.  With a short window remaining until the law takes effect in May 2018, setting priorities is an imperative.

As with current data protection law, the GDPR will be regulated and enforced by national data protection authorities – including the data protection authority in Sweden.

Last April, the Swedish  DPA, the Datainspektionen, published a checklist to help companies work towards compliance with the GDPR.  This may suggest that the Datainspektionen is ready to apply stringent oversight of the GDPR.   A press release from the Datainspektionen about their guidance and the checklist are available online (Swedish). 

Gartner suggests these five general priorities, but the right ones for your business may be different.  NEBU can help you identify th e best way to proceed.

Gartner’s five elements requiring primary attention (see Figure 1):

  1. Determine your role under the GDPR.

  2. Appoint your data protection officer.

  3. Demonstrate accountability in all processing activities.

  4. Check your cross-border data flows.

  5. Prepare for data subjects exercising their rights.

Are you ready for the GDPR? Nebu can help. Contact us for a free consultation, please contact us here.

Stephanie (SAM) Miller is a marketing automation, digital marketing and eCRM expert with a long history in enterprise technology professional services, also now applying this experience to the food tech sector. Fascinating parallels between the two industries – and a lot of crossover applications.

Legal disclaimer: The opinions and recommendations in this blog post should not be construed as legal advice.  Nebu recommends that entities subject to legislation seek legal counsel from qualified sources.

Hör gärna av dig till:
Liselott Alnestig
Telefon
070 633 66 35