On May 25, 2018, with the adoption of GDPR, new regulations for data protection came into force across the entire EU. This meant that conditions for the management of personal information became more numerous, stricter and more difficult to keep track of. Here are the most important points.
The General Data Protection Regulation, or GDPR, builds upon previous data-protection directives from 1995, which guided the protection of personal information in Sweden until 2018. In short, it means that privacy protection for individuals is now stronger and requirements for the management of personal information more extensive.
Depending upon your organisation and how it handles personal and customer information, GDPR can affect you in different ways.
– The company must, in a clear and transparent way, inform the individual why it is processing their personal information, what information is involved, and how it is handled.
– The individual has the right to demand a written statement of what personal information is being stored and how it is being used. They also have the right to demand that their information be deleted.
– If your company lacks legal grounds for storing and handling this information, for example through civil registration, employment contracts, supplier agreements or the like, you must secure the individual’s permission.
– If the company stores/handles data due to “legitimate needs” as opposed to legal requirements, you must be able to demonstrate the reasoning behind the need to save the individual’s information.
– Companies are required to document how they store and handle personal information and, upon request, demonstrate how that data has been used, and that they are following proper procedures.
– Built-in data protection is a standard requirement. Sensitive information must always be encrypted.
– The Data Protection Authority can issue fines of up to four percent of a company’s annual turnover – or up to 20 million euros – if GDPR rules are not followed.
– Rules for passing on data to third parties are stricter and you must be able to ensure that all partners who access personal data also follow GDPR.
*Personal information is defined in this instance as everything that can be used to identify a person. Examples include name, personal identity number, email address, physical or digital address (IP address), photos, audio recordings, etc.
Where to start?
If you’ve read this far, you already understand why it is important to consider who can access this type of data. Be sure to have a clear understanding about exactly who at your company is responsible for, and able to access, this information. Perform an analysis of the information you have today. Save only what is necessary and establish routines for how the information can be secured in compliance with GDPR requirements.
Finally – do your homework when choosing who to work with. Use reliable and professional suppliers who can prove that they can keep both your personal data and your customers’ personal data safe and secure.