What is the GDPR? A guide to the GDPR in Sweden

We've picked out the most important things to be aware of when it comes to the GDPR in this article, so when you've finished reading, you'll both feel more at ease, and know where to turn if you want to know even more.

What is the GDPR? A summary

Let's start with the questions that most people ask themselves when they hear about something new: what is it, and what does it mean? Well, GDPR stands for General Data Protection Regulation.

It is a regulation from the EU that deals with just that - the protection of data. It concerns, for example, how organizations and companies should be allowed to collect, store and handle data from individuals in a secure way, and how it should work to handle data within and outside EU countries.

To understand where the GDPR comes from, it's easiest to go back in time - to the introduction of the directive that the GDPR replaced. In 1995, the EU adopted a data protection directive in an attempt to get all EU countries to handle personal data better. When the Directive was adopted, it was up to each Member State to legislate on how to comply with it. In Sweden, this became the Personal Data Act, with which you are probably familiar. In short, it regulates how you should handle personal data from your customers, for example what data you can and cannot register and save. That's where it all started, but a lot has happened since 1995.

GDPR: a bit like the rulebook in football

The old directive gave all EU countries a bit too much freedom to decide how they wanted to respond to the directive, which meant that there were some differences in how data was handled across the EU. This made things a lot more complicated.

More and more companies and organizations started to work in more than one EU country and they had to comply with several different laws and regulations, and citizens in different countries did not get the same rights in practice, even though they should have in theory. It's a bit like our respective football teams in Europe only partially following the same rules: difficult for both the players and the referees.

This is where the GDPR comes in. The new regulation serves as a clearer and more coherent guideline with higher data security requirements that all EU member states must follow, but still with some possibility to let countries adapt the rules nationally. For us in Sweden, for example, this means that our Freedom of Information and Secrecy Act will continue to apply in combination with the GDPR, but generally speaking, all companies in EU countries must follow the same rules when handling data.

In addition, the GDPR is better adapted to our digital lives. When you think of data, you might think of information such as social security numbers, phone numbers or addresses, but this also includes photos, social media posts and email addresses. In short, anything that can identify a person, directly or indirectly.

The GDPR is therefore about ensuring customer privacy for all these types of data, and making it easier for businesses so they don't have to worry about what applies. In other words, the GDPR is like a common rulebook for how we should behave on the football pitch, so that matches can be played without problems.

Protecting data - from step one

Two phrases that come up in connection with the GDPR are privacy by design and privacy by default. Both of these should contribute to the whole purpose of the GDPR, to handle data securely, but with a certain difference in meaning.

Privacy by design, or data protection by design, means that IT systems and procedures are designed with data security in mind, for example through encryption. In other words, security needs to be built in from the start. Privacy by default is about taking the approach of not collecting more information about customers than necessary.

Now that you have a better idea of what is going on, you may have started to think about how this will affect you and your colleagues in your daily work. Below, we have listed some of the biggest changes that you need to be aware of.

What does the GDPR mean for me, my business and my customers?

The short answer to what the GDPR means in practice is something like this: The GDPR means that you will be under greater pressure from the EU and Swedish authorities to handle your customers' personal data securely, and also that you will need to consider whether there is a genuine reason for your business to store the data. Customers have the right to know what information you hold about them and you should be able to delete their data if they request it. It doesn't matter where in the EU your business operates, the same rules apply in all Member States .

We have divided the long answer into three parts: what the GDPR means in practice for you and your business, what it means for customers and what it means for working inside and outside the EU.

What does the GDPR mean for my business?

Depending on how your data management is set up from the start, you may need to make changes of different sizes, with some changes being more significant than others. Here are some of the most important ones.

Ensure that data management is secure

You need to think about security when handling and storing data about your customers. This includes both technical solutions, such as encrypting sensitive information, and organizational solutions, such as determining who is responsible for making decisions about how personal data is handled. You also need to consider:

• Whether it is legally justified to handle the data as you do.
• How long it is reasonable for you to keep data about customers.
• Who in the company has access to the data.
• How you should document how you handle the data. The Integrity Protection Authority recommends, for example, having a data management policy and clear procedures for handling personal data.

Cancel the misuse rule

You can no longer refer to the misuse rule, as it disappears with the Personal Data Act. Previously, it could be okay to send a customer's personal data to a colleague via email, for example, as long as it did not violate the customer's privacy. With the GDPR, it doesn't matter in which context you mention the personal data, the same rules apply regardless. You need to consider:

• If there is a security risk with your emails
• whether the colleague really needs the personal data, and
• What the colleague intends to do with it.

It may be time to review your procedures and perhaps start handling personal data differently.

Ask for permission to store information

In order to save your customers' personal data, you need their active consent to do so. For example, having a pre-ticked box in the corner of your website is not clear enough. Handling sensitive data about your customers undoubtedly requires their consent. So you need to spell out clearly and concisely how you will handle customers' data. Moreover, it must be as easy for customers to withdraw their consent as it is to give it.

Do the right thing - Avoid fines

You can be fined if you do not comply with the Regulation. The amount of the fine depends on the size of the company and the seriousness of the error. Some of the things that can lead to a fine are not reporting a data breach to the Data Protection Authority, handling personal data without the consent of customers, or not handling data securely enough. At most, the fines can reach a staggering €20 million. In Sweden, it is primarily the Swedish Data Protection Authority that assesses fines, but the EU will also appoint a central data protection board to help with these issues.

What does the GDPR mean for my customers?

Some aspects of the GDPR have a direct impact on your customers. Here we list the three biggest changes from a customer perspective.

Customers will have to consent to data processing

Customers will have more influence over who handles their personal data and how. They can both withdraw their consent for you to store their data and also lodge a complaint if they feel your company has not handled their personal data securely enough. The aim of this is to give customers the right to keep their information private if they want to, and to ensure that you do everything you can not to violate their privacy.

Customers get more transparency on data management

Customers have the right to know exactly what information you are storing about them, on what legal basis you are doing so and what the purpose of storing the information is. You cannot store any data without telling them, and if a customer demands to know what information you hold about them, you must be able to respond.

Young people's data is more protected

People under the age of 16 will be better protected when it comes to data. As of the entry into force of the GDPR, you must have the explicit permission of the parent or guardian to store information on children under 16. However, there are some possibilities for Member States to adapt the rules slightly. It is possible to both raise and lower the age limit, but not below 13 years.

What does the GDPR mean for cross-border jobs?

The idea behind the GDPR is to make it easier for organizations and companies that work in several countries when it comes to data management. Things that were complicated before will become easier and all countries within the EU will work in the same way to a greater extent than before.

Making it easier to work in more countries

Companies operating in more than one EU country will find it easier to comply with the rules. Previously, the respective national differences in the rules could make it very complicated for both companies and authorities to determine how data should actually be handled, but thanks to the GDPR, the same rules now apply to everyone (with some exceptions for national additions, but on a much smaller scale than before).

Countries outside the EU may be affected by the GDPR

Companies located in a non-EU country but handling data of EU residents must also comply with the GDPR. So it doesn't matter if a company is based in Gothenburg, Berlin or Los Angeles if they handle information about EU citizens - personal data must be protected and handled in accordance with the GDPR.

One of the main rules of the GDPR is that organizations should only have to answer to a data protection authority in one country, even if the organization itself is located in several countries. There are some exceptions, but generally speaking this is how it works:

• If all data management decisions are taken at the headquarters, the country where the headquarters is located is responsible for data management oversight.
• If data management decisions are taken in more than one location, the country where the decision in question was taken is responsible for supervision. For example: an organization has one office in London and one in Stockholm. If the London office makes all the data processing decisions, the supervisory authority in London is also responsible for checking that everything is done correctly, even if people in the Swedish office also process the data. If decisions are made in both London and Stockholm, it depends on which decision is being investigated and in which country the specific decision was made.

Documenting GDPR work with policies and guidelines

We mentioned earlier that it can be useful to document the actual work of handling the data - who does it, in what way and with what security measures. This is particularly important for two reasons. Firstly, you need to be able to conduct privacy assessments of your data handling to ensure that your customers' privacy is indeed as protected as it should be. Secondly, you may be required to quickly provide records of the data you handle. Having policies, guidelines and other documentation on privacy and data management can help you meet those requirements.

As you may have realized, the GDPR itself is not a direct instruction on how to handle data - there is no specific rule on how to store phone numbers and social security numbers. Rather, the GDPR is a guide to better, safer and more transparent data management for those organizations that need to collect or store data for various reasons.

Want to read more about the GDPR?
We have two more articles on the topic:
GDPR Responsibility Roles: Data Controller and Data Processor
GDPR: How to write clear data management agreements

Or, for even more knowledge on the subject, visit the The Integrity Protection Authority