Authorities, companies and organisations work continuously with security efforts of various kinds. Here we focus on security for personal data that is part of the information security work.
Why is it important to protect personal data? It is the very core of the General Data Protection Regulation: to protect people's privacy and safeguard everyone's rights and freedoms.
Swedish Authority for Privacy Protection does not tell you what to do – you must decide for yourselves
Security risks and threats to personal privacy vary depending on the scope and complexity of the personal data processing but security efforts largely involve minimising risks and managing risks in the best way. You can use different measures and technologies but your inform nation security work must fulfil the purpose of the General Data Protection Regulation: to protect individuals' fundamental rights and freedoms.
Here we tell you what the requirements are and what you have to do, but we cannot explain in detail how you are to go about it. It is every organisation's responsibility to plan and carry out security work so that it satisfies the General Data Protection Regulation's requirements in the best way.
What is new in the General Data Protection Regulation?
In actual fact, the General Data Protection Regulation does not contain very much that is new as regards information security for personal data. If you have good security at present, you probably do not need to change how you work. But you need to check that you
- comply with all the fundamental principles of the General Data Protection Regulation
- have appropriate lawful grounds for your personal data processing
- document your reasoning and your methods.
Information security work: structure, procedures and predictability
With a clear, distinct structure and appropriately adapted procedures in your security work you achieve predictability. If you have clear internal procedures or adhere to a standard, you reduce the risk of missing something important or making mistakes that may result in costly security breaches.
N.B. Always be aware of what information you are processing so that you do not process personal data that you do not have lawful grounds to process. You do not need to devise procedures and technical solutions to protect data that you do not have the right to process.
What do you need to think about and what should you do?
The following four steps help you to work in a structured way and thereby comply with the General Data Protection Regulation.
1. Start with the fundamental principles and legal grounds
- Always start with the fundamental principles of the General Data Protection Regulation and answer the following questions: Why do you need to process personal data? What are the purposes?
- Also assess what lawful grounds you are to base your processing on.
2. Analyse what is to be protected, scope and risks
- What is to be protected? What do you need to process? What are you allowed to process?
- Scope of the processing.
- Risks involved in the processing: Make a thorough risk analysis. If you have an instance of personal data processing that is particularly sensitive, making an impact assessment might be the next step.
3. Analyse measures and appropriateness
- What is appropriate considering our findings from the analysis?
- What technology is there?
- What organisational procedure are appropriate for us to implement?
Make an overall assessment:
- What measures are needed for secure personal data processing?
- What measures are appropriate on the basis of cost and the possibility to implement them?
Decide on measures:
- Organisational: procedures and policy documents
N.B. Communicate! Everyone concerned must have clear instructions so that your personal data processing is secure and lawful. No prohibited processing is to be able to take place.
4. Motivate your decisions and maintain continuous documentation
The General Data Protection Regulation stipulates stringent requirements concerning documentation. Have good procedures to continuously motivate your decisions and document
- what you do
- how you reasoned – motivate your decisions
- your procedures and policy documents.
If the information in other languages are different from the Swedish version, it is the Swedish version that applies.