This site is currently using a generated translation

GDPR in a "simpler" way

The GDPR, or the General Data Protection Regulation as it is called in English, is something that is starting to appear on most board agendas as we write, and if it hasn't got there yet, we should probably hurry it up a bit.
GDPR is serious and should be treated as such, but it is far from something that is unattainable.

In fact,order and structure are the key words to achieve and comply with the new GDPR and if you already have order and structure, your journey is not very long.

Today, we are faced with rather stressed IT managers who have GDPR in their laps with the task of ensuring that the company complies with this new regulation. We would argue that they have started at the wrong end and with the wrong focus on the challenge.

We also see colleagues in the industry trying to sell salvation to companies, salvation that with a few keystrokes will take them from dark clouds to a clear blue sky where there are no data protection issues whatsoever, of course spiced up with a multi-figure payment reminder as thanks.

IT is not the magic word that magically makes everything right, certainly IT will be a very important part of the whole process and also compliance, but let's start the journey from the right place.

But perhaps we should get some basic facts straight before we start to look at what is to come.

What is GDPR?

The General Data Protection Regulation (GDPR) is a new EU regulation that governs how personal data may be processed, replacing the current PUL legislation.


The aim is to give individuals more control over their own personal data, ensure transparency about the use of data and require security and controls to protect personal data.

What is personal data?

Any kind of information that can be directly or indirectly attributed to a person who is alive. For example, if you can link an IP address to a specific person, directly or indirectly, then the IP address is also personal data.

Simply put, if you are unsure whether something is personal data or it in the basket marked personal data until proven otherwise, at best.


The Regulation was adopted in May 2016 and will enter into force on 25 May 2018.

So, what does it all mean?

For those who process personal data, there is a lot to think about, and without going into detail about each part, it basically involves the following:

  • The data controller has a proactive obligation to inform the data subject; the information could be similar to the classic questions Where? What? Why?
  • What legal basis do I have to process such personal data (come back to this)
  • We must demonstrate and show that we are handling the data securely and correctly
  • We must ensure that we have an agreement in place where we let someone else handle the personal data for which we are responsible, known as a data processor agreement.
  • If an incident occurs and, for example, personal data has fallen into the wrong hands, we now have an obligation to report such an incident within 72 hours (calendar hours). Such a report must be made to the supervisory authority, i.e. the Data Protection Inspectorate, and must include what happened and why, whose personal data were affected by the incident and what action was taken. In some cases, the persons to whom the personal data relate must also be notified.

Saying that you did what everyone else does when it comes to working on the above obligations does not go far, saying that we thought it was "best practice" because someone else did so is not enough....we must demonstrate, documented, at all times that we have worked to achieve our obligations to the best of our ability.

The general requirements for the processing of personal data will remain in place. These include that personal data may only be processed if it is necessary for the purpose, that no more personal data may be processed than necessary and that data may not be processed for longer than necessary.

In addition, the individual's right to be forgotten and/or to have his or her information disclosed will also be extended. The right to be forgotten refers to the individual's right to request that his or her personal data be erased, for example, when the personal data are no longer necessary for the purpose for which they were collected or if he or she no longer consents to the processing.

At the time of writing, we can shed no more light than that we will have to wait and see what the Data Protection Inspectorate comes up with on these issues.


Yes, then there is the issue of sanctions and yes, that is significant in all aspects. The amount of the penalty depends, among other things, on the provision that is infringed. The maximum penalty can be up to a maximum of EUR 20 000 000 and 4% of the group's annual turnover. Please note that this refers to the fine and not to any damages that may be claimed. Once again, if GDPR is not on the board agenda, it should be there as a matter of urgency.

Then we come to "lawful processing", i.e. what basis can I rely on to process the personal data.


One way to make the processing of personal data legal is simply to ask for permission, and if the person formally agrees, the processing is legal because you have their consent to the processing. It is important to be able to show afterwards that the consent was given correctly.

Fulfilling a contract with the data subject

A contract may constitute a legal basis for processing personal data. It is then required that the processing is necessary for the performance of a contract with the data subject or for taking steps at the request of the data subject prior to the conclusion of such a contract.

Legal obligation (e.g. accounting law)

Personal data may be processed if it is necessary to comply with a legal obligation. An example of a legal obligation is the obligation to keep records as set out in the Accounting Act.

Protect the vital interests of an individual

Examples include personal data processing necessary for life-saving care in emergency situations where the data subject is unable to give consent.

Performing a task carried out in the public interest or in the exercise of official authority vested in the controller

Tasks of general interest include research, archiving and the production of statistics. Processing of personal data is also allowed if it is necessary for the exercise of official authority by the controller. It is primarily state and local authorities that can process personal data in the exercise of official authority. In Sweden, this is usually regulated by specific provisions, known as register constitutions. This applies, for example, to the activities of the Swedish Tax Agency.

Balance of interests

It may be permissible to process personal data after a balancing of interests. The processing should then be necessary to meet a legitimate interest of the controller. An example could be a CRM system. I as the controller have contact details in the relationship with my stakeholders to maintain a healthy and business-like relationship, name, phone number, email address etc. should be a legitimate basis in an interest relationship as above. However, should we also register other interests and preferences of the individual, we believe that we are on thin ice as regards the balancing of interests and must in that case turn our attention to one of the other five legal grounds.

OK, so what do we do now?

You can start an inventory without delay, if you have not already done so. Where do you keep personal data? Why do you keep them? i.e. which systems, applications and databases are covered by personal data and what is their purpose?

In this inventory, it is not wrong to also capture account and password management, role-based access, whether the information and the database are encrypted and also whether access to the systems and applications is "logged" in some form.

If you have partners who handle personal data in some form (outsourced IT, cloud-based applications, etc.), you can discuss this with them. They should be able to tell you how they in turn secure the information and what their work with GDPR looks like. You should also ensure that you have a data processor agreement with your partners that sets out your requirements for how they handle your personal data. The latter can be preceded by a consultation with a lawyer.

Speaking of lawyers, it is our full opinion that, after your inventory, you take the help of a skilled lawyer who can be your guide and also help you with the right priorities. Please ask us at AddPro, we have a very good cooperation with Mannheimer Swartling on this matter, where pragmatic lawyers are ready to help.

Of course, you can also use your IT partner(s) for your inventory. For example, AddPro has a Security Workshop which, through a number of well-chosen questions, enables us to come up with appropriate measures for you quite quickly.

A finger of caution though and it has been said before - do things in the right order, don't start investing in technology thinking you will meet the requirements, start by inventorying, evaluating and prioritising.

Keep It Simple