Stricter requirements for managing personal data

Published Apr 26, 2018

Clearer, more uniform and more transparent. The new General Data Protection Regulation (GDPR) contains stricter and to some extent new requirements for managing personal data. Work is currently underway at KTH Royal Institute of Technology on adapting and strengthening existing systems. A web-based distance learning programme will also provide KTH staff with tools to deal with the new rules.

The new EU-wide General Data Protection Regulation (GDPR) will come into force on 25 May. It includes stricter requirements for those managing personal data to be able to report which data is stored and why.

You need to be aware of what you’re doing. Check that there is a legal basis for collecting and saving the data. Don’t collect more data than necessary or save it for longer than necessary, explains Robin Roy, project manager for the work on adapting to the new regulation. He is currently personal data officer at KTH and will be KTH’s data protection officer from 25 May.

The General Data Protection Regulation (GDPR) will replace existing Swedish legislation (Personal Data Act). The overall aim, to secure the individual’s right to a private life, is the same, and much of GDPR is similar to the rules in the existing legislation, according to Robin Roy.

“We don’t need to reinvent the wheel. But GDPR contains some new items and also puts more emphasis on the responsibility of those managing personal data to ensure the rules are followed.”

Think before you act

This includes the obligation to inform the registered person of which data is in the database. Procedures for managing complaints, requesting database excerpts and erasing data from the database must also be upgraded.

Responsibility for data security is also being tightened up, including requirements for impact assessments before new data processing is planned.

“We’re expected to be proactive in our approach to data protection. If we haven’t considered it beforehand, we’re in breach of the regulation,” explains Robin Roy.

Serious security incidents, such as hacking, must be reported to the Swedish Data Protection Authority within 72 hours. At the same time, the concept of data incidents is being expanded to also include such things as burglaries in which documents disappear.

“And if you lose a USB memory stick with a class register on the underground, this is also counted as a data incident,” says Robin Roy.

Another new item is that the Data Protection Authority can impose an administrative fine on those who break the rules of the regulation.

Several systems

Where KTH is concerned, adaptation is complicated by personal data currently being handled in many different ways and at many different levels. This includes everything from the Ladok student registry and central staff register via associated systems to individual teachers’ Excel registers.

Prior to the introduction of GDPR, an inventory and survey has therefore been made of existing systems and processes. Maria Widlund, Group Head of HR is part of the group that, along with Robin Roy, is reviewing the results for staff administration systems. She welcomed the inventory and considered it much needed for several reasons.

“We need to ensure that personal data is processed more uniformly, collaborate more and do more things in the same way so that we comply with the regulation. But this is also in line with the developmental journey we’ll be making in any case towards a more cohesive KTH, what the President calls a Unified KTH,” she says.

But neither Robin Roy, Maria Widlund nor University Director Anders Lundgren believe that all new procedures and adaptations will be fully in place by 25 May.

Several exceptions

“No, we’re hoping that the major systems will be in place at that time, but there are lots of other things, too. We need to get better at documenting our databases, and this is comprehensive work that has to be performed by a number of people,” confirms Anders Lundgren.

How GDPR will be applied in Sweden is not yet fully decided yet either. Several Government decisions are expected in April and May on the exceptions that EU law permits countries to make. This includes a decision concerning research that will not be completed until 25 May.

In collaboration with several other institutes of higher education, KTH is producing a web-based distance learning programme about GDPR for all its staff. A crucial initiative in terms of adapting to the new requirements as smoothly as possible, according to Maria Widlund.

“We can’t become paralysed, we’re supposed to be running an organisation here. But a great deal is also about using common sense. Reflecting a little more over which data we really need rather than just saving it because it might ‛come in handy’. And that’s actually quite a healthy approach, isn’t it?”

Text: Ursula Stigzelius

How you as an employee are affected by GDPR

  • The General Data Protection Regulation (GDPR), is a new EU regulation. It will come into force on 25 May in all EU countries, which will thus have new joint legislation on processing personal data. Application may still vary somewhat, as GDPR allows countries to make certain exceptions.
  • The purpose of GDPR is to better protect individual privacy. An individual already has the right to request a database excerpt showing the data about them that KTH has saved and how that data is used. GDPR strengthens this right.
  • As an individual you can also request to have your data erased. If you should incur loss as a result of the data in some way being leaked from KTH’s register, you can make a claim for damages.
  • When recruited or employed, you will be informed of the data about you that KTH intends to save and how that data will be used. One new item is the right to access the data you have provided yourself in order to transfer it to another service. This is known as data portability.
  • If you manage personal data concerning others in your work, you have equivalent obligations towards them. Information on the general obligations you are required to meet is available on
  • You will find out more about GDPR in the web-based distance learning programme that KTH is producing in collaboration with Chalmers University of Technology, the Swedish School of Sport and Health Sciences, Mid Sweden University and Stockholm University of the Arts. The programme will be available to KTH staff in May before GDPR comes into force.
Top page top