Stricter requirements for managing personal data
Clearer, more uniform and more transparent. The new General Data Protection Regulation (GDPR) contains stricter and to some extent new requirements for managing personal data. Work is currently underway at KTH Royal Institute of Technology on adapting and strengthening existing systems. A web-based distance learning programme will also provide KTH staff with tools to deal with the new rules.
The new EU-wide General Data Protection Regulation (GDPR) will come into force on 25 May. It includes stricter requirements for those managing personal data to be able to report which data is stored and why.
You need to be aware of what you’re doing. Check that there is a legal basis for collecting and saving the data. Don’t collect more data than necessary or save it for longer than necessary, explains Robin Roy , project manager for the work on adapting to the new regulation. He is currently personal data officer at KTH and will be KTH’s data protection officer from 25 May.
The General Data Protection Regulation (GDPR) will replace existing Swedish legislation (Personal Data Act). The overall aim, to secure the individual’s right to a private life, is the same, and much of GDPR is similar to the rules in the existing legislation, according to Robin Roy.
“We don’t need to reinvent the wheel. But GDPR contains some new items and also puts more emphasis on the responsibility of those managing personal data to ensure the rules are followed.”
Think before you act
This includes the obligation to inform the registered person of which data is in the database. Procedures for managing complaints, requesting database excerpts and erasing data from the database must also be upgraded.
Responsibility for data security is also being tightened up, including requirements for impact assessments before new data processing is planned.
“We’re expected to be proactive in our approach to data protection. If we haven’t considered it beforehand, we’re in breach of the regulation,” explains Robin Roy.
Serious security incidents, such as hacking, must be reported to the Swedish Data Protection Authority within 72 hours. At the same time, the concept of data incidents is being expanded to also include such things as burglaries in which documents disappear.
“And if you lose a USB memory stick with a class register on the underground, this is also counted as a data incident,” says Robin Roy.
Another new item is that the Data Protection Authority can impose an administrative fine on those who break the rules of the regulation.
Where KTH is concerned, adaptation is complicated by personal data currently being handled in many different ways and at many different levels. This includes everything from the Ladok student registry and central staff register via associated systems to individual teachers’ Excel registers.
Prior to the introduction of GDPR, an inventory and survey has therefore been made of existing systems and processes. Maria Widlund , Group Head of HR is part of the group that, along with Robin Roy, is reviewing the results for staff administration systems. She welcomed the inventory and considered it much needed for several reasons.
“We need to ensure that personal data is processed more uniformly, collaborate more and do more things in the same way so that we comply with the regulation. But this is also in line with the developmental journey we’ll be making in any case towards a more cohesive KTH, what the President calls a Unified KTH,” she says.
But neither Robin Roy, Maria Widlund nor University Director Anders Lundgren believe that all new procedures and adaptations will be fully in place by 25 May.
“No, we’re hoping that the major systems will be in place at that time, but there are lots of other things, too. We need to get better at documenting our databases, and this is comprehensive work that has to be performed by a number of people,” confirms Anders Lundgren .
How GDPR will be applied in Sweden is not yet fully decided yet either. Several Government decisions are expected in April and May on the exceptions that EU law permits countries to make. This includes a decision concerning research that will not be completed until 25 May.
In collaboration with several other institutes of higher education, KTH is producing a web-based distance learning programme about GDPR for all its staff. A crucial initiative in terms of adapting to the new requirements as smoothly as possible, according to Maria Widlund.
“We can’t become paralysed, we’re supposed to be running an organisation here. But a great deal is also about using common sense. Reflecting a little more over which data we really need rather than just saving it because it might ‛come in handy’. And that’s actually quite a healthy approach, isn’t it?”
Text: Ursula Stigzelius