Tillbaka till resurser
Blog

Frequently asked questions about GDPR

Jun 15, 2020

2 min

Cartoon image of an GDPR icon on a laptop

Which Companies Will Be Investigated First?

In Sweden, the supervisory authority Datainspektionen prioritizes cases where the risk of misuse is particularly high, for example, organizations handling large amounts of sensitive personal data. They also prioritize received complaints and cases highlighted by the media.

One of the first areas of supervision has been to investigate whether organizations that are required to appoint a Data Protection Officer (DPO) have done so. This includes authorities, security companies, and marketing organizations. The DPO acts as an extension of the supervisory authority and must maintain an independent position within or outside the organization, something that is also evaluated during inspections.

We Have Just Started Our GDPR Work and Are Not Yet Compliant—What Should We Do?

GDPR compliance should be approached as a structured project. The first step is to map your organization’s data processing activities by identifying why personal data is processed, how it is processed, and where it is stored.

After this, the work focuses on creating GDPR-compliant agreements, informing data subjects, and stablishing documented policies, rules, and processes. GDPR often requires significant organizational changes, making it essential for management to take responsibility and actively lead the transformation.

If you have not yet completed these steps, don’t panic. The most important thing is to have a clear compliance plan that is supported by management.

Is It Necessary to Use Lawyers to Comply with GDPR?

It depends on your level of ambition and the complexity of your organization. To fully comply with GDPR, expertise in data protection law is often required, especially from lawyers with experience in privacy regulations.

Lawyers are particularly useful when creating supplier agreements and data procesing agreements.

In addition, organizations need access to expertise in information security, technical safeguards and organizational processes for handling personal data.

If you hire consultants, it is important that they cover all three areas legal, technical and organizational.

My Company Only Has a Simple Website—Do We Still Need to Comply?

Yes. If you process personal data, you must comply with GDPR. Personal data includes anything that can identify a person, such as names, IP addresses, Email addresses, and images.

If your organization has any of the following, GDPR applies a website, a customer register, an employee register, and email collection. In practice, this means that almost all organizations must follow GDPR requirements.

A key part of compliance is informing individuals about how their personal data is processed.This requires a privacy policy on your website. There are many examples available online if you need guidance on how to structure one. It is also important to remember that cookies and IP addresses are considered personal data. If your website uses cookies, you must also have a cookie policy in place in accordance with applicable laws.