SSG has spent the last year implementing extensive internal efforts to adapt to the new General Data Protection Regulation, GDPR. The organisation is also in the final phase of its certification to ISO 27001 in order to identify and minimise the company’s security risks. Only a small number of Swedish companies have completed this certification to date, and in addition to the increase in digitisation this will reinforce SSG in its role as a “trusted third party”.
The EU’s GDPR will replace the old Swedish Personal Data Act as of 25 May. The new rules on the handling of personal data will involve plenty of changes for all authorities, companies and organisations.
“The threat of sanctions and damages if we fail to comply with GDPR is one driving factor. The Personal Data Act was previously accused of being toothless. This is not expected to be the case with GDPR,” says Fredrik Jonasson, an external consultant from the IT security company that has helped SSG with its adaptation to GDPR and certification to ISO 27001.
Any company failing to process personal data in the correct way within the EU may be forced to pay what is known as an administrative sanction of up to EUR 20 million, or four per cent of its global turnover.
“The aim is to reinforce the rights of citizens, making more stringent demands of companies and other organisations to provide information on how they handle data, and what data they handle and why. This also involves harmonisation between the EU member states,” says Fredrik Jonasson.
It will also be possible, under certain circumstances, to refuse to allow personal data to be used.
“GDPR will ensure that the personal data of individuals, customers and companies’ own employees will be handled securely in accordance with the law. Companies themselves have to be aware of their data and the systems that handle this information. They also have to make it clear what data they collect and why,” says Fredrik Jonasson.
That said, many of the requirements in the GDPR were already laid down in the Personal Data Act. However, the GDPR will involve updating and tightening up the rules in some cases.
SSG has been working extensively over the past year to adapt to the new legislation.
“We have reviewed all the processes, procedures and services where we handle and process personal data. We started off with SSG Entre, our biggest service. We have looked through all agreements and information that we provide to customers concerning the processing of personal data. We have made sure that all our suppliers, in turn, meet the requirements laid down in the GDPR. Among other things, like all other companies we are obliged to keep a full register of the processing of our personal data in all our databases and services,” says Linn Folke, personal data representative at SSG.
“Many people have been involved in this work, and we have provided training to all staff on two occasions,” she continues. “Moreover, in accordance with the new law we have identified and appointed personal data assistants and personal data controllers – legal entities – and we will be appointing a personal data protection representative.”
Customers will not be all that aware of SSG’s GDPR adaptation.
“They will receive other information, altered in accordance with the new legislation, when they register for our services. And they will be able to obtain register extracts if they ask for them,” says Linn Folke.
Personal data will also be deleted after a certain time.
“According to the new law, you are not allowed to collect unnecessary personal information. We are only allowed to save the data that we need, and personal data must not be retained for longer than we have a legal basis for,” says Linn Folke.
– GDPR is really great, and as a result companies are all cleaning up their registers,” she says. “Personal data is valuable, and people have temporarily given us that data.”
While implementing its GDPR initiative, SSG has also been carrying out certification work to ISO 27001 with a view to improving information security by identifying and minimising the company’s security and information risks. ISO 27001 will help to protect our information assets and improve confidentiality, privacy and accessibility.
“There are only around 70 companies certified to ISO 27001 at the moment. The GDPR is regulating how organisations work with personal data and its demands go beyond what is certified as part of ISO 27001. But that said, the standard and the regulation are very similar as regards actions required. This is an incredibly powerful tool which demonstrates that SSG has been reviewed on the basis of how the organisation handles all its information, including personal data. With this certification, SSG has therefore gone one step further than just adapting to the GDPR,” says Fredrik Jonasson.
For SSG, the adaptation to GDPR and certification to ISO 27001 are of particular strategic importance as one of the company’s long-term objectives is to be a “trusted third party” as regards the collection and handling of customers’ data flows.
“We wanted to demonstrate that SSG really is a trustworthy partner that customers can rely on when it comes to the handling of their information. We want to go on building on the well-established trust the people already have in SSG when it comes to being able to work among competitors and across industries. They must feel and know that the information they pass on to SSG is secure and that we have a structure in place for handling this information,” concludes Fredrik Jonasson.