Three steps closer to strategy and practical risk management in a legal environment with stricter requirements and sanctions.
News about the upcoming General Data Protection Regulation (GDPR) is pouring in and headlines on stricter requirements and multimillion sanctions are common. That integrity and data protection have been high on both the legal and business agenda is well-deserved – knowledge of customers and users is hard currency in the information society. Parallel to an increase in awareness of and opposition against monitoring which violates integrity, there is greater willingness to share data and information to obtain better products and solutions. Concepts such as ‘eHealth,’ ‘location services’ and ‘the connected home’ are all based on the fact that there is an interest in the solutions which are offered. Approaching integrity and data protection are equally about legal compliance and developing new ways to find a balance in the trust equation in relation to customers and users.
Irrespective of what you think about the end result, the future playing field for management of personal data is regulated at the EU level by adoption of the new GDPR. The explicit targets have been to give citizens control over their personal data and to create a uniform European regulation. The rights at civil level are reflected for companies through more extensive and stricter requirements on management of personal data. Both entrepreneurs in startups and compliance managers in multinational companies now need to adapt and prepare. As a part of this it is easy to stare blindly at the changes in comparison to the existing Personal Data Act (PUL), particularly as the conspicuous sanctions amount to the higher of four per cent of the company’s global sales or EUR 20 million. However, despite the requirements and sanctions, there will still be opportunities of extensive data collection and analysis of relatively sensitive data as long as this takes place in a well thought-out and transparent manner, with strategically designed purposes and consent. A large part of the technical development of new services over recent years, not least within sensitive areas such as, for example, ‘eHealth’ has been stimulated by analysis of surplus information. In contrast to common perception, there will be opportunities for this in the future as well. However, this requires that the integrity perspective is incorporated as a natural part of the business model for being able to continue such a development according to the law. And those who succeed with this will have a strong competitive advantage when the requirements of the GDPR enter into force in 2018.
However, PUL and primarily the GDPR provide so much more guidance than this. Based on the Regulation’s structure and the management rules, tools are provided for both fulfilling existing and new requirements and for implementation of processes which ensure long term compliance. At Morris we view this process as three overall steps which severally contribute to the fulfilment of a large number of requirements in PUL and GDPR respectively.
STEP 1 – IDENTIFY DATA AND PURPOSE
Both existing and upcoming regulation is based on the purposes of the personal data processing. This is completely in line with a purely commercial approach where, as entrepreneurs, you should question why data is collected and saved. By using the commercial aim of data collection and processing, an overall purpose description and comprehensive view are provided of which data is needed to attain the commercial targets. It is easy to forget the overall perspective and instead dive straight into detailed requirements which are very difficult to fulfil without seeing the entirety. Good identification of data and purpose will enable overall fulfilment of the requirements related to:
- “Purpose limitation” (article 5.1 (b)), which specifies that only such processing required for attaining the purposes is permitted.
- “Data minimisation” (article 5.1 (c)), which in a corresponding manner states that only such data required for attaining the purposes may be collected. The concept and limitation are in stark contrast to data mining, where the aim is to extract data for future purposes, even though it necessarily needs to be completely prohibited.
- “Data protection by design and by default” (article 23), which means that the business, business model, technical platform etc. should be designed to respect integrity and that variables as a starting point should be set against integrity, and not vice versa.
STEP 2 – PREPARE A STRETEGIC LIST
Based on the data you want to process and for what purpose, a strategic list should be prepared of the business’ personal data processing. The requirement to maintain a list already exists in the current PUL and broadens significantly as a result of the new regulation. However, instead of preparing a list only in accordance with legal requirements, the list can comprise the tool which ensures a lot more than compliance with rules, and which provides a competitive advantage.
Preparing a list of the business’ personal data processing in practice entails screening to find existing registers followed by an assessment of their use. By specifying the content, purpose, consent, owners, users, etc. for each register, a relatively quick overview is provided of the legality while all information becomes available immediately if the Swedish Data Protection Authority knocks on the door or a registered individual requests an extract from the registers. A strategic list enables practical and legal fulfilment of both existing and upcoming requirements for:
- The basic principles on, among other things, lawfulness, transparency, accuracy, integrity and confidentiality (article 5)
- Consent (article 6.1 (a)), among other things, in relation to purpose (article 7), possibly sensitive data (article 9) and transfer to third countries (articles 40-45)
- Balancing interests (article 6.1 (f)) and other alternative legal grounds for processing
- Risk analyses (articles 33-34), among other things in relation to technical security measures (articles 23 and 30)
- Organisational security (articles 23 and 30), linked to internal access to personal data and any external access and representative relations (article 26).
- Disclosure of information upon request, including data portability (articles 14-15, 18)
- Screening (articles 16-17), among other things, linked to the purposes.
STEP 3 – DESIGN A CUSTOMISED POLICY
Steps 1 and 2 will together provide a good and structured view of which data the business will work with, what is actually collected and processed. This view also exposes gaps in the form of areas which breach legislation and where the largest exposure to risks exists. Based on well-established knowledge, a policy can address the issue of personal data in two pieces, i.e. by strengthening and developing the legal personal data management, and by minimising legal risks as well as integrity risks in relation to customers, users and other contacts. By allowing the policy to also include perspectives such as information security and incident and crisis management, both the opportunities and risks of personal data management are covered.
DO’S
To sum up, the three steps provide a framework to initiate commercially-oriented and future-proof work on integrity and data, which subsequently transforms to continuous compliance work. In conclusion, we would like to mention some “Do’s” and some material worth reading.
- Own the issue of data protection
- Be active and assign the responsibility of data protection to those who have a legal and commercial mandat
- Adapt the technical platform
- Technology and its application are decisive for both opportunities and risks – “Data protection by design” can go hand in hand with the commercial targets.
- Compliance = Competitive edge
- The playing field has been set, with stricter rules and harder sanctions those who handle the requirements most strategically will be the winners.
- Prepare.
- The Government is doing it, insurance companies are doing it, the Swedish Data Protection Authority is doing it, trade and Teknikföretagen (the Association of Swedish Engineering Industries) are doing it. The earlier the issue is addressed, the greater the chances of the preparations being cost-efficient and attaining the desired results, while the implementation is minimally disruptive for the business.
WOULD YOU LIKE MORE INFORMATION?
PLEASE FEEL FREE TO CONTACT US AT MORRIS LAW
HENRIK ALMSTRÖM
Associate
Telephone: +46 10 722 36 12
Mobile: +46 738 26 47 75
E-mail: henrik.almstrom@morrislaw.se