In May 2018, the new general data protection regulation (GDPR) will enter into force. This might make you worried about what to do and where to start, but don’t worry, Laurita Krisciunaite from Sällberg & Co has put together a checklist that you can follow to get an overview of the work you have in front of you. So let’s get started!
The GDPR largely resembles the current personal data act, but it will also bring some changes. Even though we have had the personal data act for a long time, the management of personal data has not been ideal. This becomes quite obvious when considering that the most commonly used paragraph is called “the abuse rule”. This means that most Swedish companies, authorities and organizations now face a major change in their management of personal data.
By now you should be reviewing what actions you need to take in your organization, in order to cost-effectively and efficiently adapt your business to the new general data protection regulation. The majority of the changes that have to take place should be done before the regulation is in play (and in some cases even before additional Swedish legislation is added). Some organizations will have a lot to do, others less. For this reason, we have created a checklist that you can follow to get an overview of the work you have before you.
1. Prepare and inform the organization
A thorough analysis of the current situation is an important success factor for each GDPR customization project. Personal data management rarely belongs to the core business of a company or organization, but as it is normally done in various parts of the organization, it is simplest if the project is led by the senior executive body. The reason for this is that they have an overview of the business and can easily determine what special needs you have, what resources are available and who will take the main responsibility for the remaining work. Next, you have to make sure to inform, and to different degrees educate, the co-workers in your company.
2. Take stock and document
The next step is to review what personal data you manage in your organization. Sensitive personal data requires you to be extra meticulous in your work. Examine any personal data that adds value or is critical to your business – and that you are entitled to retain – and delete everything else. You must ensure that you are fulfilling the requirements set up in the regulation for each set of information that you wish to keep and make sure that you have a clear purpose for why the data is kept.
3. Keep you customers informed
Once you have decided what personal data you want to keep, you should inform the physical persons whose information you have stored and inform them about:
- What rights they have
- How you manage their data
- Why the data is stored
- On what legal basis you are doing this
- How long the data will be stored
You must also inform the data subjects, whose personal information you received from someone else (for example, purchased customer lists) or if you start using information that you collected for another, prior purpose.
This may seem a bit overwhelming, but it is better to be on the safe side, since the penalty fees can reach up to 4 % of your annual turnover. If you start early, you will on addition be able keep good relations with your customers by showing them that you take responsibility for their personal information.
4. Review you collaborations
You need to review collaborations you have with other parties where you share personal data. Do you have subcontractors or do you act as a subcontractor? Make sure that you have data processing agreements in place that regulate your obligations and rights (and appropriately regulate the risks since, according to GDPR, you are jointly responsible for many incidents).
5. Set up processes for the future
The regulation places high demands on organizational and technical safety proceedings. You need to review your systems and what additional actions that will be needed to ensure compliance with the regulation. Be sure to educate your staff, create processes and internal policies on how to handle personal information within your organization, ranging from how to obtain consent to how to delete personal data.
Don’t be afraid, get ahead
Initially, the regulation may seem overwhelming, but do not be afraid of it. The most important thing is to get started early and to take action. Ultimately, it will be a battle for the customer’s trust, as much of the data management in the future will be done based on consent. By doing this job early, you can win big market shares and create much closer relationships with your customers.
Want to know more? Contact Sällberg & Co!
Sällberg & Co is an entrepreneurial business law firm. At the moment, we are focusing on helping companies, authorities and organizations to adapt their business to the new general data protection regulation. We offer courses, consulting services and a proprietary IT solution, we help you to write and review your agreements, perform GAP-analyzes and data protection impact assessments, and much more.
Together with the IT company OMMH Scandinavia and external investors, we have developed GDPR Hero. It is a cloud-based tool that will help both small and large companies, but also authorities to comply with the regulation. GDPR Hero helps you to keep records of your personal data management. You also get access to checklists, standard agreements, news coverage and much more.
Do not hesitate to contact us if you want to know more or are interested in our tool and services!
laurita.krisciunaite@sallbergco.se
Phone: +46 46 273 17 17
