The rights of individuals - and your obligations - when the new General Data Protection Regulation comes into force
The new General Data Protection Regulation, GDPR, sets completely new requirements for how we handle personal data. It means that all personal data handled by businesses must be treated with great integrity, which means a big change for all businesses - regardless of size. So what are the real rights of the person whose personal data you and your business handle - and what are your obligations? Here we take a closer look at what the Regulation says, and also give concrete examples of what is required to comply with it.
New General Data Protection Regulation focuses on individual rights
Individuals whose personal data is recorded and processed will have extended, strengthened and specified rights under the new General Data Protection Regulation, GDPR, in comparison to the old Personal Data Act, PUL. Processing of personal data means any type of use of that data. The rights of individuals are as follows:
- Right to information - The person whose personal data is recorded has the right to obtain an extract of this data and information on when his or her personal data is processed, if requested.
- Right to rectification - The right to have inaccurate information corrected and/or completed.
- Right to erasure ("right to be forgotten") - the data shall be erased at the request of the data subject.
- Right to restriction of processing - The possibility to require (in certain cases) that the processing of personal data be restricted, i.e. that it be processed only for certain limited purposes.
- Data portability - Having the possibility (in certain cases) to transfer personal data, for example from one social media service to another.
- Right to object - The right to object (in certain cases) to the processing of your personal data.
- Automated decision-making - The right not to be subject to a decision based solely on some form of automated decision-making, if the decision may have legal consequences (or equivalent).
- Complaints - Anyone whose personal data is being processed can submit a complaint to the Swedish Data Protection Authority, which will then decide whether to initiate supervision.
- Damages - A person who has suffered damage because his or her personal data has been processed in breach of the Data Protection Directive may be entitled to damages.
Complying with the new GDPR requires clear mapping of personal data
A prerequisite for you and your company to comply with all these obligations is that you have an understanding of the current processing of personal data as a first step. For example, if you do not know where or what personal data is being processed, you cannot delete or change it on request.
Data mapping should include what data exist, what systems they are entered into and with which third parties, if any, the data are shared. In addition, all the processes involved in handling the data must also be mapped - all the way from the collection of the data to the point where the customer is no longer your customer.
How searchable is your personal data
The main (and often first) problem that many people encounter at this stage is the difficulty of searching for and identifying the personal data that is recorded. This may be because the documents and files containing personal data are stored in such a way that they cannot be searched - on USB sticks, locally on someone's desktop, external hard drives and so on. Or the systems in which the data is stored do not provide adequate search capabilities. Systems should be built in such a way that they meet the requirements of the GDPR - what is known as privacy by design.
New GDPR - not a Y2K bug
Once personal data has been identified, the problems often lie in how to design procedures and processes in cases where a data subject objects to the use of his or her personal data, wishes to be forgotten or to obtain extracts, and so on. The problem here therefore lies in how to implement it in practice.
Figuring out how to implement the processes is just the beginning. Here, it looks very different from company to company in terms of how far they have come in preparing for GDPR. This, in turn, often depends on whether or not the implications of the GDPR's introduction are taken seriously. Some people still believe that this is some kind of "millennium bug" - a doomsday prophecy that will never play out. The truth, however, is that the GDPR will mean a bigger shift than most people might anticipate. The EU has gone out with demands for legislative changes to member states, which means that around 100 Swedish laws will have to be rewritten in favour of the Data Protection Directive.
Getting outside help
Mapping and implementation is not straightforward and very few companies have experts with in-depth knowledge of the new GDPR on their staff who can ensure that no part of the work is overlooked. So, of course, training is a good place to start to get an overview of what is required to comply with the GDPR.
The next step could be to discuss the current situation with an external party in a comprehensive way, in order to find out what needs to be done concretely - a workshop, for example. Such a workshop should result in a report or checklist that clearly shows what elements are currently working in accordance with the GDPR, and what remains to be done to fully comply with the Regulation. It should also set out the order in which work to get the remaining elements in place should take place and suggest what solutions are available.
Many vendors who claim to offer help with GDPR fall short of offering concrete solutions. Instead, it's often a matter of getting you and your colleagues to understand the scope of the work. Therefore, if you do bring in outside help, make sure the solutions are practical and not just advisory. For example, find out if your supplier can offer any kind of technical solutions that can be integrated with the IT platform you already use. Make sure the solutions are clearly packaged and scalable - don't pay for more than you actually need. Also make sure your supplier can clearly demonstrate what the expected outcome of a collaboration will be.