GDPR - handling personal data

In the past 20 years, PUL, the Personal Data Act, has ruled how companies handled personal data. On May 25, 2018, GDPR (ie general data protection regulation) came into force and began to regulate all processing of information that can be linked to a person. For companies, organizations and authorities this means a relatively big change.

What is the purpose of the new rules? Harmonization between Member States in the EU is desired. The data protection directive deriving from 1995 has formed a common ground, but each country has been able to implement and interpret this regulatory framework on its own. The law is now the same in all EU countries.

What does GDPR mean for companies?

The law has come to protect the individual citizen's rights. However, it is primarily those who handle personal data that will be labeled by GDPR. One can say that, in many ways, the new regulations are a reinforced and updated version of PUL. However, some elements mean that you, as an entrepreneur, are reviewing your routines for documentation and data storage. It is of utmost importance to keep an eye on the systems that handle the company's data and collected information. It is the company and not an IT provider that is responsible. With all the collected data comes a risk assessment, why do you collect data and who will have access to them? The person responsible for personal data must be able to demonstrate that GDPR is followed. If your company manages personal data to a large extent, you may need to hire a particular personally responsible person. Below are some of the most important components of the regulations:

● High demands are made on accountability and documentation

● Promotes task minimization - You may not collect more information than necessary

● Personal data is unidentified, so-called pseudonymization

● Personal data on astray must be notified to the Data Inspectorate within 72 hours

● The information to the person registered must be easy to understand

Penalties if you violate GDPR

PUL was often criticized for not leading to sufficiently powerful consequences for those who violated the rules. This can not be said about GDPR. A company that processes personal data in a regular manner can be penalized with an administrative penalty of up to EUR 20 million euro (!) Or 4% of the company's global sales. It is important to note that the exemption from the PUL has now been completely eliminated. This means that personal data in simpler lists or in current text is no longer counted as an exception. Who then judges compliance with the rules? There are two agencies that interpret Swedish companies, authorities and organizations following the regulations:

● Data Inspection in Sweden

● A Central Data Protection Agency in the EU

Since GDPR is a new regulatory framework, it will certainly be confusion at the beginning, it may take a few years before it goes to practice. Clearly, however, all companies need to review their routines. It can be very expensive  not comply with the regulations. One of the most important first steps is to ensure that the requirements for documentation are met. Make sure never to collect more personal information than necessary, nor save these data for longer than necessary. If your company has followed PUL, you already have a good base to assume, be sure to update yourself about what is happening at the Data Inspection if you have not already done so!

Read about how we work at GDPR here at Nilex and feel free to contact us if you have any questions!