We help you get started with the work to comply with the General Data Protection Regulation (GDPR)
On 25 May 2018, the new Data Protection Regulation will come into force with the aim of tightening the regulations and replacing the Swedish Personal Information Act (PUL). In other words, organizations have less than a year to adapt to the new law requiring increased security in managing sensitive and personal information about both employees and customers.
Fines up to 4 percent of the organization’s global annual turnover
For those who do not comply with the requirements of the new law, heavy fines await up to 4 percent of the Group’s global annual turnover. The law will give organizations incentives to strengthen their work on security issues and protection of personal information at a whole new level that benefits the individual.
While GDPR describes why the protection of personal data is necessary and the potential consequences, it provides little guidance on how to effectively achieve the requirements. We have therefore developed an iterative process in 3 phases to help you achieve adequate data protection and legal compliance:
Phase 1: Inventory of personal data
The starting point for compliance with GDPR is to first and foremost identify and inventory of existing personal data (PII) pursuant to Article 30 of the GDPR. However, the number of systems, integration points, partners and suppliers involved in data management can make the work a complex and time consuming process that is difficult to implement on its own. We will help you identify and invent all personal information effectively.
Phase 2: Impact assessment on data protection
The second phase of the process consists of an impact assessment (DPIA) of personal data pursuant to Article 35 of the GDPR. We review the inventory of personal data from phase 1 and conduct a risk analysis to identify the information that needs to be protected. This risk analysis also highlights the actions/controls that the business needs to take/introduce.
Phase 3: Implementation
The third and final phase consists of 3 steps. Based on the personal information to be protected, we define relevant controls and processes for second step – the implementation. In order to comply with GDPR, the protection of personal data must be included in all systems per default, which is achieved through the implementation of protection mechanisms for all systems that handle personal information.