Around 2018-2019, there was a lot of talk about GDPR in connection with the introduction of this EU legislation, but not anymore. The risk now that a while has passed is that over time you as a company will forget about this legislation, although it is actually important to comply with (otherwise it may result in substantial fines).
To help you evaluate your current situation, we have developed a checklist.
What is GDPR?
GDPR, or General Data Protection Regulation, is an EU regulation that governs how companies and organizations may collect, use and store personal data. The purpose of GDPR is to protect individuals' privacy and rights.
If we break the rules, it can result in heavy fines and personal data being processed incorrectly or falling into the wrong hands. Therefore, it is important that you understand the rules and regulations that apply to the processing of personal data.
What is personal data?
Any information that can be directly or indirectly linked to a person is counted as personal data, for example; Email, name, telephone number, addresses and sensitive information such as health data.
Please also note that information that individually does not reveal anything but together can lead to a person, also counts as personal data.
Processing of personal data
“Processing of personal data” includes the recording, storage, modification, reading and distribution of data. They must be protected within the organization and should not be disclosed or exposed in environments where unauthorized persons may come across them (e.g. by listening to or viewing information). It does not matter if the data is stored on a computer, mobile or paper.
Purpose and consent
Companies must obtain explicit consent from individuals to process their personal data and there must be legal grounds for storing the information.
Personal data shall only be used for the purposes for which they were collected, or in accordance with the consent of the data subject.
Rights of the individual
Individuals have the right to access their data, correct inaccuracies and demand that the data be deleted.
Checklist
Check that you have completed and documented according to the points below and you have come a good way along the way!
✅ Identify all types of personal data collected
✅ Map where this data is stored (digitally and physically)
✅ Understand how this data is used and by which departments
✅ Ensure that there is a legal basis for storing this personal data
✅ Appoint data protection officer and document
✅ Identify any treatments that involve high risk and perform a DPIA* (Data Protection Impact Assessment)
✅ Ensure that the data is protected and cleaned in a reasonable manner.
✅ Post the above information in your GDPR register (requires a certain structure but can be managed in different systems, e.g. in AmpliFlow or SharePoint, the most important thing is that you have control and can report the information)
✅ Make sure you have basic training materials about GDPR
✅ Ensure that all employees have a basic understanding of GDPR
✅ Incorporate GDPR practices into onboarding process for new staff
✅ Enter checkpoint when offboarding personnel - does the data protection officer need to be changed?
✅ Schedule annual review of GDPR practices
✅ Prepare and train personnel in your incident handling
✅ Enter checkpoint for the introduction of new systems, for their inclusion in GDPR registers
✅ Ensure procedures for clearing personal data
Take the next step with Cognit
We know that inventing GDPR records, incident management and ensuring procedures are followed is cumbersome and inefficient. That's why we offer easy-to-manage support for these areas using Office 365 and www.ampliflow.se. If you're interested in creating a digital workplace with structure and simplicity for routines, Cognit has the solution for you.
Visit our website at www.cognit.se to explore our offer further. Together, let's create a digital workplace that not only meets your needs today, but is also ready for the challenges of the future.
* A DPIA (Data Protection Impact Assessment) is a process to identify and minimize privacy risks in personal data processing. DPIA is a GDPR requirement for processing activities believed to pose a high risk to the rights and freedoms of individuals. It includes risk assessment, identification of measures to reduce risk, and documentation. DPIA is an ongoing process that should be integrated into the project lifecycle. Learn more at the Swedish Authority for Privacy Protection.