In the Borderland between Technology and Law.
All companies, knowingly or not, treat a variety of personal data in their daily activities. Processing may include customer records, employment contracts, email correspondence and other contacts with people inside and outside the business. Gulliksson has extensive experience with all aspects of data protection issues and continues to assist clients in this field.
In May 2018, Sweden and the rest of the EU will get a new common legislation that governs how companies and others can process personal data as the General Data Protection Regulation (aka “the GDPR”) becomes applicable. The GDPR replaces the current EU directive and its implementations into the Member states’ laws. The GDPR means substantial changes although a lot can be recognised from before. It still does require companies to make significant adaptations – and time is running out.
Some of the most important new provisions:
- Greater responsibility for both personal data controllers and personal data processors.
- New documentation requirements for personal data processing: You must be able to demonstrate that you process personal data correctly.
- Stronger protection for data subjects with stricter requirements to inform data subjects of what data are being processed; Clearer rights for data subjects to request extracts showing how their data has been processed; A right “to be forgotten” (i.e. the right to have their personal data deleted); The right to have their registered data transferred to another company – data portability; and stricter consent requirements.
- The “misuse rule” (Swedish: missbruksregeln) will be removed, which means that personal data in “unstructured materials” such as running text are included. This brings e-mail correspondence into play.
- New data security requirements – with built-in data protection as standard. In certain cases, the regulation will require that a data protection impact assessment is performed and a data protection officer is appointed.
The Swedish Data Protection Authority must be notified of data breaches within 72 hours in certain cases. Hefty administrative fines will also be implemented. In the event that a company fails to comply with the new rules, administrative fines of up to EUR 20 million or 4 percent of annual sales may be imposed on the company. This would naturally result in badwill for the company as well.
Is your company ready for the new rules? Collecting, managing and storing personal data is subject to increasingly complex and global regulations. Our GDPR-team has an extensive national and international experience in this area. They are also used to dealing with issues relating to the borderland between technology and law.
Gulliksson can help you review and map out the extent of your personal data processing and data protection, implement any adjustments required for compliance with the new rules, and prepare procedures and compliance documents and also provide ongoing advice on data protection issues.