One year into the GDPR: “The GDPR requires a continuous and systematic approach”

Greater responsibility, new documentation requirements and hefty administrative fines. These were some of the most important new provisions to be aware of when the GDPR came into force in May last year.
– GDPR efforts did not end on 25 May 2018. It’s extremely important for companies to have a systematic process for continuing efforts. Data protection is a continuous process and something companies need to work on regularly, says Mirja Ekdahl, a Gulliksson senior associate whose specializations include data protection and privacy matters.

The General Data Protection Regulation (GDPR) entered into force throughout the EU with the aim of creating a uniform and comparable level of protection for personal data.  

– Although many of the provisions of the GDPR are similar to the provisions previously stipulated in our Swedish Personal Data Act, it was made very clear to companies that they needed to review and in many cases improve their procedures, says Mirja Ekdahl, who, along with her colleagues at Gulliksson, helped clients make adjustments to ensure their business was ready for and compliant with the legislation.  

– During the course of this work, we also saw an increase in awareness for how important it is to protect and respect personal privacy, Mirja Ekdahl explains as she highlights the recurring questions she asked when advising clients:  

What personal data does the company process? Does the company process sensitive personal data? How does the company process this data? Does the company process the data based on consent, performance of a contract, a legitimate interest or another legal basis? Does the company provide sufficient information when collecting the data? Does the company have an adequate level of protection for the data?

– In addition to taking a holistic approach to the company’s processing of personal data, specific questions came up about details like whether it’s OK to send payslips and other sensitive information by email, says Karin Strandberg, a Gulliksson partner whose specializations include labour law.  

GDPR compliance is a must – procedures and follow-up are required
The Swedish Data Protection Authority can order companies in breach of the provisions of the GDPR to pay an administrative fine. The maximum amount of this fine is EUR 20 million or four percent of the company’s total worldwide annual turnover, whichever is higher. The maximum amount for less severe breaches is EUR 10 million or two percent of the company’s total worldwide annual turnover.  

– Being hit with an administrative fine has an impact that goes beyond the money – it creates badwill for the company. Although the Swedish Data Protection Authority has not yet ordered any administrative fines at this time, the GDPR is here to stay and compliance is a must,  says Mirja Ekdahl.  

Gulliksson provides ongoing support and advice
In addition to reviewing your processing of personal data and your data protection, Gulliksson can ensure that you are fully compliant and draft procedures and compliance documents. Feel free to contact Gulliksson for a no-obligation meeting to discuss your company’s continuing GDPR efforts and specific needs.

Mirja Ekdahl, Senior Associate, Malmö
+46 (0)70-513 13 70

Karin Strandberg, Partner, Malmö
+46 (0)70-819 06 52

Magnus Friberg, Partner, Lund
+46 (0)73-519 59 49

Ulrika Nordenvik, Senior Associate, Lund
+46 (0)70-203 61 00

The GDPR – some of the most important changes that entered into force in May 2018:

  • Greater responsibility for both controllers and processors
  • New documentation requirement for the processing of personal data: You must be able to demonstrate that you process personal data correctly
  • Stronger position for data subjects, including:
    – Stricter requirements to inform data subjects of which of their data is processed
    – Clearer rights for data subjects “to be forgotten” (i.e. the right to have their personal data erased)
    – The right to transfer their stored data to another company – data portability
    – Stricter consent requirements
  • New data security requirements – with data protection by design and by default. In certain cases, the regulation requires that a data protection impact assessment be performed and that a data protection officer be appointed. The Swedish Data Protection Authority must be notified of personal data breaches (within 72 hours) in certain cases.