Risk of a fine

On May 25th 2018 the General Data Protection Regulation (GDPR) came into effect in Sweden and the rest of the EU. One effect is that the Swedish Authority for Privacy Protection, formerly the Swedish Data Protection Authority, can decide that a company that does not follow the rules of the regulation must pay an administrative fine.

The fine might be up to EUR 20 million or four percent of the global annual turnover. The size of the amount depends on, among other things, how serious the violation of the regulations is, how great the damage is, whether it involves sensitive personal data and whether the violation was deliberate.

The risk of considerable fines has caused many companies to now review how they collect and process personal data. However, the fact is that in Sweden there has already been legislation, in the form of the Personal Data Act, which regulates and restricts how companies are allowed to use personal data.

The purposes and scope of GDPR at the Swedish Authority for Privacy Protection (IMY)

Correct personal data creates security and order

Apart from risking a fine if your management of personal data violates the law, why should your company even be concerned about how it processes personal data?

By only having correct and relevant data relating to existing customers in your customer directory, you as a business owner do not need to feel doubtful or concerned that the data in the directory is not reliable.

All companies, regardless of their activities, will benefit from having order in their production, customer contacts, accounting and method of managing personal data. One of the basic principles in the data protection regulation is that one should only collect personal data for a specific predetermined purpose, for example being able to process contracts, deliveries and sending out invoices to customers. You are only permitted to collect the data that is needed to fulfil the predetermined purpose and the information should only be stored for as long as it is needed.

Protect the information against theft and unauthorised persons

Another important principle in the regulation is that the personal data that you have in the company must be protected so that it is not stolen, unintentionally deleted or accessed by an unauthorised person. Data relating to your company’s customers, suppliers and employees are naturally important from a competitive standpoint. You will most likely want to avoid a competitor gaining access to information about your customers.

It has occurred that hackers have obtained large amounts of personal data, often credit card information. Regardless of the size, companies that lose control of data relating to for example their customers can expect badwill costs, especially from the people who have provided the company with their information in the belief that it will be processed in a responsible and legal way.

Competitive advantage to following the rules

In several industries, a code of conduct and certifications has become a way for companies to show that they are, for example, conducting their business in an ethical, social or environmentally sound way. For many companies it has become a competitive advantage to fulfil a certain code of conduct or have a certain certification.

Codes of conduct is something that is encouraged in the data protection regulation. By connecting your company to a code of conduct in the future that involves how personal data is processed, customers and suppliers can feel secure with how you process their data, something that may prove to be a competitive advantage for you.

In the same way that poorly protected personal data can result in badwill costs for your company, you can count on goodwill if you in a good and clear way can show that you are following the rules of the data protection regulation.

The same rules all over the EU makes it easier for you as a business owner

One of the ideas behind the data protection regulation is to ensure that the same rules for how personal data can be processed will apply all over the EU. This makes it easier for companies to expand and be active in several EU countries. Thus, a Swedish company that follows the data protection regulation does not need to worry about that there are different rules for how data relating to, for example customers, can be processed in another EU country. If you have everything in order when it comes to processing personal data in your company you are prepared for a future expansion.