GDPRFebruary 15, 2018
Time for new common legislation in the EU. GDPR, General Data Protection Regulation. It will come in to play as of May 25, 2018 and will replace the Swedish PUL legislation. In one shot, the conditions change to handle all personal data. The new regulations consist of two acts in which the most central is the general data protection regulation that deals with the handling of personal data.
This is the case
The legal act is about personal integrity and the individual's right to find out what information is stored, where it is stored and also the right to have it deleted. GDPR regulates the extent to which businesses have the right to request and store personal information and the approach is generally restrictive. A special section is written about personal data in labor law, and here is the basic rule that data may only be stored if there is consent or if it is relevant to drive the business.
These are subject to the legislation
The legislation specifically addresses third party data activities, for example, where authorities work with personal data, such as various forms of marketing and sales organizations, etc. It also encompasses what happens in almost all operations, such as managing various types of employee conversations stored, such as payroll, evaluations, and competence data. The new law implies a much stricter approach associated with substantial fines if you violate the law. In extreme cases, the fine is linked to 4% of the turnover of the business, or € 2 million, whichever is the greater (!). The amount of fines for more general breaches against GDPR will of course not be as extensive, but it will certainly be punishable. Responsibility for compliance rests on board and CEO and can not be delegated!
The roles - those who handle data
The person working with the data is called DPO, Data Protection Officer, and if the data that you are working with is stored with another party, for example, on a web host, an external server provider, in a cloud service is called the Personal Data Adviser. The legislation stipulates the obligations of each party. It is also important that an agreement must be signed that governs the cooperation between a Data Responsible and a Personal Data Counselor. Here it is very important to work with a Personal Data Adviser that complies with the law with the correct encryption level, security for login and storage, but also that all data is kept within the EU. For example, here is the place to mention that it is not in accordance with the law to store personal data with an American supplier if it can not be proved that all data is stored within the EU.
You need system support for processes
Processes that you do today with Word and Excel should take you to a new solution. Maintaining the legislation will be very difficult without insurmountable work. Nor is it possible to duck with reference to making their processes in 'paper format' because the new legislation also covers items stored in boxes and cabinets. The law requires that all data should be kept safe but above all, that you should be able to explain and demonstrate how the collection, storage and even clearing process works. It does not correspond to a solution where documents are stored in different folders, on different computers, in boxes, mailboxes and elsewhere, which is commonplace today. If you have such a process it is very important to start acting. Legislation requires IT to be based on the principle of "Privacy by design" in order to comply with the legal requirement.
But solution is not far away. Several systems on the market are secured for GDPR today and there is still some time before the legislation enters into force. However, it is high time to start planning and taking the height to get a process in place. You are welcome to contact us and we will help you with tips on how to act. And of course, with Heartpace, you live up to GDPR!
If you wish, you can access the Data Protection Regulation in its entirety - click here!