Work at computer

We are preparing for GDPR – the new data protection ordinance

On May 25, 2018, EU’s new data protection ordinance will come into force. The ordinance replaces the Swedish Personal Data Act (PuL) which then ceases to be applicable. GDPR contains a number of new requirements which must be taken into consideration and will result in major changes both within the trade and industry and the public sector.

"The Data Protection Ordinance will affect more or less all activities at Linnaeus University. Therefore, we are preparing at all levels", says university director Per Brolin.

"We are making an inventory of what personal data processing occurs at Linnaeus University today. New guidelines and a proposal for a plan for education and information efforts have also been developed", Brolin continues.

Fines and sanction fees
The Data Protection Ordinance is the Swedish name for EU's GDPR (General Data Protection Regulation) that replaces the Personal Data Act (PuL) as from May 25. The purpose of the new ordinance is to adjust legislation to the digital society, strengthen the individual's right to privacy, and harmonise legislation within the EU.

The new regulations clarify and make greater demands on the processing of personal data. Those who do not follow the new legislation can expect big sanction fees; fines of up to 4% of the turnover.

"For us, this is not about avoiding sanction fees. It is important that individuals' personal data is processed in a correct way so that people can feel trust towards Linnaeus University and that the university's good reputation is not jeopardised", says Brolin.

Personal data ombudsman coordinates
A working group is preparing our activities for the coming into force of the new ordinance. The group's commission is to review structures and routines and adapt the organisation so that the processing of personal data at Linnaeus University lives up to the requirements of the legislation.

"We are working actively with this right now. Close to 500 people have particpated on our training programme. Things are in order, and we are now working to become even better. To establish an awareness and carry out follow-ups to ensure that our guidelines are complied with within the organisation is a continuously ongoing work", says personal data ombudsman Elisabeth Engström at the executive office.

Use consent forms
It is important to make an inventory of what personal data processing occurs at Linnaeus University. A full review of Linnaeus University's activities has been carried out this spring – everything from the processing of personal data at the central level to the processing of personal data in research projects.

New guidelines and a proposal for the design of the role as data protection ombudsman, consent forms and a plan for education and information efforts have also been developed; work that is led and coordinated by personal data ombudsman Elisabeth Engström.

Registers must have legal support
At a department or other unit, that is to prepare itself for the new data protection ordinance, everyone must have knowledge about what personal data is processed, what processing is done, what legal support there is for this processing and what measures may have to be taken.

The exception for the processing of personal data in unstructered material will disappear. As from May 25, there must always be legal support for the processing of personal data.

If you have any questions, you are welcome to contact Elisabeth Engström.

Link to: The Swedish Data Protection Authority