GDPR is about how companies and organizations should be allowed to collect, store and manage data about private persons safely.
GDPR in brief: Do not collect more personal data than necessary and only for a specific predetermined purpose. Do not save the data for longer than necessary. Make sure you support the law to collect information.
GDPR replaced the Personal Data Act from 25 May 2018. The purpose of the GDPR is to harmonize the protection of personal data of natural persons so that the same rights and obligations apply throughout the EU. The EU wants to create confidence in data protection in the internal market, which in turn enables the development of the digital economy.
The new regulation places great demands on the person who processes and records personal data. It is therefore important that companies, organizations and their personal data controllers have a good track of their data protection. The 10 largest changes in the GDPR compared to the previous Personal Data Act are as follows:
- Individual rights have been reinforced on a number of points. For example:
- Consent: The consent must be clear and clear, easy to find and written in an easy-to-understand language. A pre-filled box for consent is not enough.
- Information: The Data Protection Officer must be able to show that consent exists and that one must inform that there is the right to withdraw a consent.
- Right to be forgotten: If there is no legitimate reason to save personal data, the data subject must be able to request deletion.
- Right to data portability: A registered person has the right to access their personal data on an IT medium and to move them from one personal data controller to another (when technically possible).
- The protection for children is expanded
Some registration of children 16 years and under will require the consent of the guardian. This will be relevant for example when registering on social media and buying apps.
- The abuse rule doesn't exist any more
The Personal Data Act did not include any unstructured processing of personal data, for example in continuous text, which means that so-called everyday treatment of unstructured material had to be made free as long as one did not violate it, whose personal data is processed. That rule was called the abuse rule. However, GDPR makes no exception for unstructured material, which means that also processing of personal data in current text is covered, such as, for example, simple Word documents with continuous text that are stored on the own hard disk, or e-mail messages.
- Data Protection,
Authorities, public bodies and organizations whose core business is particularly sensitive to integrity (eg those who make profiling or particularly sensitive information to a large extent) must appoint a so-called data protection agent. The data protection bid shall include:
- Appointed based on their professional qualifications and have special knowledge in data protection.
- Have the task of informing about data protection issues in their organization.
- Participate in all issues related to the protection of personal data.
- To be consulted when doing data protection analyzes and IT purchases.
- Continuously revise the processing of personal data.
- Report directly to senior management.
- Get sufficient funds to perform their duties.
- Should not be punished for their assignment.
- Be independent and not be given any instructions on how the work should be done and what should be done.
- Act as contact person against the data subjects and the data protection authority, which in Sweden is the Data Inspectorate.
- Obligation to demonstrate compliance with the Accountability Regulation.
GDPR places greater demands on the data controller to show and prove that it complies with the new data protection regulation. It requires that the data controller takes control of the processing of personal data by doing a mapping and current situation analysis (to be presented on request) as well as a legal evaluation, gap analysis and action plans. In addition, a data protection policy and strategy document should be designed and implemented in the organization.
- One regulator
Companies need only turn to one (1) supervisory authority within the EU instead of turning to all relevant regulators, as it looks today. Supervisory authorities shall then cooperate with each other on their own initiative if necessary. A registered person can always contact the supervisory authority in the home country.
- The sanction Charges
The GDPR stipulates that sanctions may be imposed which may amount to EUR 20 million or 4% of total global annual turnover. The rule exists for data protection to be included on the agenda in all management groups and boards.
- The personal data assistant becomes supervisory object and there are high demands on the assistance agreements. The data controller may only use personal data assistants who meet the requirements of the new regulation. In addition to this, personal data assistants are affected in the following ways:
- The personal data assistant becomes jointly and severally liable with the person responsible for personal data.
- The personal data assistant must list the processing that it performs on behalf of a data controller.
- The personal data assistant has an obligation to inform the person responsible for personal data about any subordinates and must also have the customers' approval if they wish to make changes.
- May be subject to penalty fees and injunctions from the Data Inspection Board.
- Must ensure that the systems meet the requirements for Privacy by design and Privacy by default.
Both personal data controllers and personal data assistants must review their assistance agreements. GDPR places much higher demands on them than previous legislation, as the consequences of making errors become so much larger in the future, it is important to regulate the contract law issues as well. Regulate, for example, dispute resolution, right of recourse and dismissal.
9. Privacy by design and Privacy by default
- Two phrases that appear in connection with GDPR are Privacy by design and Privacy by default.
- Privacy by design, or built-in data protection, means that IT systems and routines are designed with data security in mind, for example through encryption. In other words, the safety thought needs to be included from the start.
- Privacy by default, or Data protection by default is about having the starting point not to collect more information than necessary about the customers.
10. Obligation to report regarding personal data incidentsThe new regulation stipulates that the data controller has a responsibility to document all personal data incidents and, unless it is unlikely that it entails a risk for the data subjects' rights and freedoms, also report the incidents to the Data Inspectorate.
Tips for meeting GDPR:
- Set aside time and a budget for data protection issues.
- Inform and educate within the organization
- Map all data processing and data flows.
- Make a legal evaluation.
- Make sure you have governing documents and developed routines.
- Have action plans.
- Fix immediately if there are problems.
- Manage and update routines and action plans as needed.
- Make sure you have good documentation
- Ensure that all information texts and assistance agreements are up to date.
You should inform people in your register the following information;
- Personal data controller (your company) including contact information.
- Contact information to the Data Protection Officer, if your company designated it.
- The purposes of the processing of personal data.
- The legal basis for the treatment.
- The categories of personal data that the treatment applies to eg. address information.
- The recipients or the categories of recipients who will take part of the personal data, if you provide the personal data to someone else.
- If yo intend to disclose the information to someone outside the EU, what protective measures, etc. there are and how to get a copy or where to find them.
- The period during which the personal data will be stored under or conditions used for deletion.
- The right to request access to, rectification and deletion of personal data, limitation of treatment, objection to treatment and data portability.
- That there is a right to revoke their consent to the processing of personal data and sensitive personal data.
- The right to complain to the Data Inspectorate, which is the supervisory authority.
- If the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract and whether the data subject is required to provide the personal data and the possible consequences of not providing such data.
- The existence of automated decision making, including profiling that has legal implications or significantly affects or is based on sensitive personal data, in at least those cases, should provide meaningful information about the logic behind and the meaning and implications of such processing for the data subject. In addition, you should provide information if your company will process the personal data for any purpose other than that for which the personal data was collected. Then your company should provide information about the new purpose and paragraphs 8-13 above. But if the data subject already has the information, your company does not need to resubmit it, either when you collect the data or when changing the purpose.
Principles for processing personal data
Chapter II, Article 5 d) of the General Data Protection Regulation, which deals with principles, contains the following text concerning the personal data processed:They should be correct and if necessary updated. All reasonable measures must be taken to ensure that personal data are incorrectly related to the purposes for which they are processed are deleted or rectified without delay (correctness).
Roaring helps you get updated records:
Roaring Apps helps companies, organizations and authorities to collect accurate information and then keep them updated to follow the GDPR requirements that personal data should be correct and up to date.
We help our customers apply for permission to update personal data from the authorities registers in Sweden (SPAR) and Norway (DSF).