Greater responsibility, new documentation requirement and hefty administrative fines. These are some of the most important new provisions to be aware of when the new data protection regulation comes into force in May next year. To ensure compliance in advance, Gulliksson can assist companies in reviewing their personal data processing and data protection and can also help implement any adjustments.
The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018, which means the time has now come for companies to be proactive and ensure compliance with the new requirements well in advance. The Personal Data Act will no longer be in effect as of this date, and the regulation applies to all companies with operations in the EU, even those established outside the EU. In relation to the current legislation, not all personal data processing and data security issues will change, but the regulation will result in major changes in many areas.
Some of the most important new provisions:
- Greater responsibility for both personal data controllers and personal data processors.
- New documentation requirement for personal data processing: You must be able to demonstrate that you process personal data correctly.
- Stronger position for data subjects with stricter requirements to inform data subjects of what data are being processed; clearer rights for data subjects “to be forgotten” (i.e. the right to have their personal data deleted); the right to transfer their registered data to another company – data portability; and stricter consent requirements.
- The “misuse rule” (Swedish: missbruksregeln) will be removed, which means that personal data in “unstructured materials” such as running text are included.
- New data security requirements – with built-in data protection as standard. In certain cases, the regulation will require that a data protection impact assessment be performed and a data protection officer be appointed. The Swedish Data Protection Authority must be notified of data breaches within 72 hours in certain cases.
Hefty administrative fines will also be implemented. In the event that a company fails to comply with the new rules, administrative fines of up to EUR 20 million or 4 percent of annual sales may be imposed on the company. This would naturally result in badwill for the company as well.
Gulliksson’s team consists of lawyers Magnus Friberg, Mirja Ekdahl and Ulrika Nordenvik who can answer all the conceivable questions you may have about the new regulation. What personal data are processed and how? Is the company processing the data based on consent, a contract or another basis, and is the basis adequate for this data processing? Does the company process sensitive personal data or data involving children? Is sufficient information provided when collecting personal data? Do any agreements with personal data processors who have been hired to process data need reviewing? Does the company have adequate data protection?
“There are many questions and they can vary depending on the type of industry and company, and the purpose of the regulation is to strengthen the rights of individuals,” says Magnus Friberg, who concludes that the harmonisation of the rules will also result in simplification for companies in areas such as cross-border register management between member states.
“This is intended to promote business opportunities in the Digital Single Market. Also, clearer rules and stronger protection for individuals are considered to add value for the company by virtue of the data subjects being informed and feeling secure with the company’s processing of their data – a confidence-building measure. If you are currently compliant with the Personal Data Act, you will be in a good position when the regulation is implemented. Nevertheless, we highly recommend that your company’s personal data processing procedures be reviewed and analysed.”
How will the GDPR affect your company?
Gulliksson can help you review your personal data processing and data protection, implement any adjustments required for compliance with the new rules, and prepare procedures and compliance documents.
Feel free to contact Gulliksson for a no-obligation meeting to discuss your company’s needs and recommendations for a plan of action.
Mirja Ekdahl, Lawyer
070-513 13 70
mirja.ekdahl@gulliksson.se
Magnus Friberg, Partner
073-519 59 49
magnus.friberg@gulliksson.se
Ulrika Nordenvik, Lawyer
070-203 61 00
ulrika.nordenvik@gulliksson.se