If your business operates in Sweden, you have probably noticed that Datainspektionen is the Swedish Supervisory Authority. This means that Datainspektionen is responsible for monitoring compliance with GDPR (and other data protection laws) of Swedish companies, organizations and public entities. Datainspektionen has now released its annual report for 2019 and we will in this blog post summarize some of the most important aspects of it!
The work of Datainspektionen
In 2019, approximately 19 400 cases were registered at Datainspektionen. These cases can for example concern questions sent in by e-mail or reports of data breaches. One third of all questions Datainspektionen received concerned which the right legal basis for processing personal data is. There are six legal bases in GDPR, e.g. contract and legitimate interest. You can read more about the different legal bases here.
Except ensuring compliance with GDPR in Sweden, Datainspektionen is cooperating with the European Data Protection Board (EDPB) to get a coherent interpretation of GDPR within the EU. Datainspektionen has tried to lift questions relevant to Swedish companies and organizations. The work with the EDPB means that Datainspektionen, together with other Supervisory Authorities, work on writing guidelines and similar to be used by companies, organizations and public entities. Furthermore, Datainspektionen has worked operational with cross-border cases.
During 2019, Datainspektionen received 4 800 reports on data breaches. This is an increase from 2018. However, this increase or the fact that a business reports many breaches does not necessarily mean something negative according to Datainspektionen. Instead, this can be an indication that the business has a well-functioning routine to discover and report data breaches.
A reported data breach can lead to an audit concerning the business. Around ten audits have been initiated this way. The data breach must generally be serious or indicate systematic problems for Datainspektionen to initiate an audit based on reports regarding data breaches.
The handling of data breaches was manual during 2019, but this has now changed. Datainspektionen has recently launched an e-service to report data breaches.
During 2019, Datainspektionen initiated 51 audits. These audits where mostly focused on identified risk areas. Some of these risk areas are healthcare, school and consent as a legal basis. Datainspektionen hopes to have optimal impact concerning the protection of the personal integrity through risk-based audits.
Most of the audits initiated during 2019 are not finished. The procedure often takes a considerable time because of the lack of practice and because the application of GDPR have to be uniform in the EU. Datainspektionen writes that most of the on-going audits will be finished during the first six months of this year.
Audits are necessary to ensure compliance with data protection laws. E.g. three out of four data protection officers report that their business has guidelines for handling personal data. This means that 25 % of all businesses with a data protection officer most likely do not have basic routines for processing personal data. Datainspektionen writes that they also know that many small enterprises generally have not come as long as larger enterprises regarding the organizations´ data protection.
Do you need help to become GDPR compliant? Contact us!
Data subjects have the right to complain to the Supervisory Authority. The data subject that files a complaint shall, as a main rule, obtain a decision within three months.
Datainspektionen received over 3 500 complaints during 2019. This is an increase in the number of complaints and this increase can be seen in many countries in the EU. This increase might be an indication that people become more and more aware of their rights. Another indication that people become more aware of their rights is that 53 % of all calls to Datainspektionen were made by private individuals.
It is not only reports regarding data breaches that are relevant to determine where audits might be necessary. Complaints are also used this way by Datainspektionen. With the help of complaints, Datainspektionen determines where audits should be initiated. The complete picture from the complaints means that Datainspektionen knows where to focus their work. They use the complaints to know in which companies, organizations or public entities there might be great risks regarding the protection of personal data. Through different complaints, they have initiates audits against e.g. Klarna and Spotify.
Table listing corrective measures (in Swedish)
Source: Datainspektionens annual report 2019
Datainspektionen claim that they have noticed that many companies, organizations and public entities are on the next level regarding their compliance-work during 2019 compared to 2018. This is noticed by the fact that the number of questions sent to their e-mail decreased. The questions during 2019 were also more qualified and often required legal interpretations and assessments. However, Datainspektionen points out that they can not answer questions with a specific answer in a particular situation. GDPR often requires that the business in question does the assessments themselves and document these. The reason for this is the principle of accountability in GDPR.
Read the whole report here.
We hope you liked this blog post! If you have any further questions regarding GDPR you are more than welcome to contact us at GDPR Hero via email email@example.com or phone 046 – 273 17 17.
Are you interested in our tool for recording of processing activities? Book a free demo here.