EU General Data Protection Regulation
On 25 May 2018, the EU General Data Protection Regulation, GDPR, will replace our Swedish Personal Data Act. The biggest changes are that individuals’ rights are more strongly protected and the Regulation applies in all EU countries.
The Swedish Personal Data Act has existed for about 20 years. Next year it will be replaced by the EU General Data Protection Regulation. The same data protection rules will apply throughout the EU and the legislation will be brought up to date with technical developments. The legislation will affect all processing of personal data. Consequently, it will affect the way in which everyone at Uppsala University deals with such data.
The General Data Protection Regulation (GDPR) requires a legal basis for all processing of personal data. Individuals are given greater control over their personal data in various ways. Their right to access data that they have submitted themselves is strengthened, as is the possibility of having information corrected or being forgotten and having information erased. Personal data breaches have to be reported within 72 hours.
Companies, organisations and public authorities will have a single regulatory framework to refer to when operating in more than one EU country. What it means for Uppsala University is that the University must begin by identifying the kinds of personal data that are currently collected and why. This is being done in the form of a project at the University, with a working group and a steering group. The project has a project manager and a sub-project manager who have been making the rounds of the University since May spreading information about the GDPR and what the University and its staff are expected to do.
Here are some questions for everyone to start thinking about...
- What personal data do I collect?
- How and when are the data that I collect processed and used?
- How do I collect personal data?
- Why do I collect these particular personal data? Is there any legal basis, in other words, are there any laws or rules that permit me to collect and process these personal data?
- How long to I keep the data I collect?
- What is there to show that the individuals concerned have given their consent?
- Do I disclose personal data to anyone else?
- Do I supply personal data to third countries?
- Does anyone else have access to these personal data?
- Do any procedures or policy documents apply to my dealings with personal data?
- Who is responsible for data protection issues in my part of the organisation?
The project is owned by Deputy University Director Per Abrahamsson. Apart from the project owner, the steering group consists of Professor Oskar Nordström Skans, Department of Economics; Professor Johan Sundström, Department of Medical Sciences; Researcher Helena Grönqvist, Department of Women’s and Children’s Health; Professor Sverker Holmgren, Department of Information Technology; Legal Officer Magnus Hallberg; Deputy Chief Security Officer Veronika Berglund; Head of Division Gunilla Sundström, University Library; and IT Director Mia Lindegren.
The members of the project group are Legal Officer Magnus Hallberg; Deputy Chief Security Officer Veronika Berglund; Head of Division Gunilla Sundström, University Library; IT Director Mia Lindegren; and Communications Officer Ulrika Hurtig, IT Division. Legal Expert Susanne Svanholm is project manager/coordinator and Security Consultant Nils Daniels is sub-project manager.
Who knows more?
If you can’t find the answers to your questions on the FAQ page, please email Magnus Hallberg (legal issues) or Veronika Berglund (security issues). Questions about IT systems can be sent to Servicedesk who will pass your questions on.