Individuals' rights - and your obligations - when the new GDPR enters into force

New data protection regulation focuses on individual rights

Individuals whose personal data is recorded and processed have expanded, strengthened and specified rights under the new General Data Protection Regulation (GDPR), compared to the old Personal Data Act (PUL). With the treatment of personal data means any use of these data. The rights of the individual are as follows:

1. Right to information - The person whose personal data is recorded has the right to receive an extract from it and information about when his or her personal data is processed if requested.
2. Right to rec tification - The right to have inaccurate data corrected and/or completed.
3. Right to er asure ("right to be forgotten") - the data shall, at the request of the data subject, be erased.
4. Right to restriction of processing - The possibility to require (in certain cases) that the processing of personal data is restricted, i.e. that it can only be processed for certain limited purposes.
5. Data portability - The ability (in some cases) to transfer personal data, for example from one social media service to another.
6. Right to object - The right to object (in certain cases) to the processing of one's personal data.
7. Automated decision -making - The right not to be subject to a decision based solely on some form of automated decision-making, if the decision is likely to produce legal effects (or equivalent).
8. Complaints - Anyone whose personal data is being processed can submit a complaint to the Data Protection Authority, which then assesses whether supervision should be initiated.
9. Damages - A person who has suffered damage as a result of the processing of their personal data in breach of the Data Protection Directive may be entitled to damages.

Compliance with the new GDPR requires clear mapping of personal data

A prerequisite for you and your company to be able to comply with all these obligations is, in the first instance, that you have insight into the current state of the processing of personal data. For example, if you do not know where or what personal data is being processed, you cannot delete or amend it on request.

A data mapping exercise should include what data exists, what systems it enters, and any third parties with whom the data is shared. In addition, all the processes involved in handling the data must also be mapped - all the way from the collection of the data to the point where the customer is no longer your customer.

How searchable is your personal data

The main (and often first) problem that many people encounter at this stage is the difficulty of retrieving and identifying the personal data that is recorded. This may be because the documents and files containing personal data are stored in such a way that they are not searchable - on USB sticks, locally on the desktop of someone's computer, external hard drives, etc. Or the systems in which the data is stored do not provide sufficient search capabilities. These systems should be set up in such a way that they meet the requirements of the GDPR - what is known as a privacy by design.

New data protection regulation - not a Y2K bug

Once the personal data have been identified, the problems often lie in the design of procedures and processes in cases where a data subject objects to the use of his or her personal data, wishes to be forgotten or to receive extracts, etc. The problem here is therefore how to implement it in practice.

That it is a thicket to find out how the processes should be implemented is only the first name. Here it looks very different from company to company in terms of how far they have come in the work of preparing for GDPR. This, in turn, often depends on whether or not the consequences of the introduction of the GDPR are taken seriously. Some still believe that this is some kind of "millennium bug" - a doomsday prophecy that will never play out. However, the truth is that the GDPR will be a bigger change than most people realize. The EU has demanded legislative changes to the member states, which means that about 100 Swedish laws will have to be rewritten in favor of the data protection directive.

Taking outside help

Mapping and implementation is not straightforward and very few companies have experts with in-depth knowledge of the new GDPR on their staff who can ensure that no part of the work is overlooked. Therefore, training is of course a good start to create an overview of what is required to comply with the GDPR.

The next step could be to discuss the current situation in an exhaustive way with an external party to find out what needs to be done - a workshop, for example. Such a workshop should result in a report or checklist that clearly shows which parts are currently working in accordance with the GDPR, and what remains to be done to fully comply with the regulation. It should also indicate the order in which the work to get the remaining parts in place should take place and suggest what solutions are available.

Many vendors who claim to offer help with GDPR fail to offer any concrete solutions. Instead, it is often a question of getting you and your colleagues to understand the scope of the work. Therefore, if you do bring in outside help, you should make sure that the solutions are practical and not just advisory. For example, find out if your provider can offer any kind of technical solutions that can be integrated with the IT platform you already use. Make sure the solutions are clearly packaged and scalable - don't pay for more than you actually need. Also make sure that your supplier can clearly show what the expected outcome of a collaboration will be.