It's no secret that there's a lot happening in the field of data protection, but many could do better at staying updated. Someone who is fully aware of the developments is IT lawyer Agnes Hammarstrand. Here, she provides an insight into the current status of data protection and what you, working in the field, can expect in the future. In short, the importance of good work within information security and data protection has never been clearer.
Increased interest in data protection issues
Companies and organizations are prioritizing data protection issues to a greater extent today. Those not working on these issues may face real barriers. For example, we have seen how suppliers who are not up to speed on these matters have lost customers. Those who do not have control over incident management and proactively work with information security are much more vulnerable to IT incidents, which create enormous losses and problems for the companies.
However, even as the work on data protection issues improves, there are challenges and a general frustration over bureaucratic rules and laws. Agnes Hammarstrand is a partner and lawyer at the lawyer firm Delphi and a specialist in IT-related law. She is one of Sweden's leading experts and trainers in IT/tech and GDPR. Together with a team of lawyers and legal experts, Agnes advises companies, authorities, and municipalities on data protection issues, etc. We asked her to describe the development and the challenges she sees ahead.
Data protection in 2023: GDPR and 50 years of data protection
2023, Agnes describes as a real anniversary year as we celebrated five years with GDPR, 50 years of data protection in Sweden, and 50 years since Sweden's first data protection authority was established – which is actually also the world's oldest data protection authority (what is now known as IMY).
When GDPR was introduced, Agnes (who had worked many years with the old personal data act) was contacted by many worried companies wanting to know more about the upcoming fines and sanction fees. She reassured the companies by explaining that it was unlikely that fines would be issued extensively right after the law came into effect, which also turned out to be true.
- However, recently we have seen that there has been more supervision, sanction fees, and also larger amounts. But I don't think one should work with GDPR out of fear of getting fines. There are so many other important reasons, says Agnes.
What did we learn from five years with GDPR?
- There is no quick fix that allows you to solve everything a few weeks before a law comes into effect. GDPR forces you to work continuously in the business. Routines and processes must be in place, and you have to do it both from a legal standpoint and from an information security standpoint and regarding technical security, says Agnes.
"There is no quick fix that allows you to solve everything a few weeks before a law comes into effect. GDPR forces you to work continuously in the business."
GDPR also introduced several interesting issues that facilitate systematic work with information security, law, and technology. And although it took time, there was more and more supervision and new guidelines from the European Data Protection Board.
- Another exciting thing that has happened is that the organization NOYB (European Center for Digital Rights), which drives privacy matters, has reported many companies from a rights perspective, and in this way initiated supervision in cases, explains Agnes.
Another aspect that has received a lot of focus is transfers outside the EU. Those of you working with cloud services are likely familiar with Schrems II, which encompasses third-country transfers and American cloud services. Let's delve deeper into that.
Data transfer to third countries – Schrems II
In brief, Schrems II is a decision from the EU Court of Justice that invalidated the Privacy Shield agreement between the EU and the USA for personal data transfer. It requires increased caution when transferring personal data outside the EU and affects companies that need to take extra measures to ensure data protection. It has been a saga in recent years, resulting in several instances where it has been illegal to transfer personal data to the USA – as it has not been considered an approved country.
However, a new principal agreement now exists between the EU and the USA on data transfer. The EU-US Data Privacy Framework makes it legal to transfer personal data to companies certified under the Data Privacy Framework.
- But many are critical. Schrems III is in the making and being prepped by NOYB, but many do not believe it will hold. What happens, for example, if the USA gets a new president? If we continue to see further terrorism and insecurity in the world? Some believe that it is already problematic today according to GDPR, Agnes points out.
Agnes Hammarstrand, Lawyer and Partner at Delphi
5 key data protection tips from Agnes for the future
1. Transfer is not just about where the server is located
– It's one of the most common misconceptions I hear. Most are aware of the ownership and where the server is located. But the most important thing is whether any transfer of personal data is taking place at all. Is someone looking at the personal data? Is there a helpdesk or support in another country? That's also a transfer. You must read the agreements and look at the whole picture. To determine if a service is legal, it's rarely about foreign ownership or where the server is, but rather what information security is in place, how the agreement looks, and whether European and Swedish law is followed.
2. Take a step back and analyze
– Review what is most important for your company and what you should prioritize. Consult with an expert. You will not necessarily face the same risks as another company, municipality, or region. Consider the following questions:
- Are we working systematically and continuously with GDPR and other issues?
- Do we have an organized way of working with these issues?
- Do we have system support?
- Have we prioritized the most important legal documents and routines?
3. Review the entire contract during an IT purchase
– It's not just about looking at the issue of third-country transfers. Also, consider what the supplier promises in its entirety, such as what happens during an interruption. What demands do you yourselves place on availability? These are important questions that also have implications for data protection work. There are often GDPR issues in the procurement of IT services, so have a lawyer read the entire contract, not just the data processing agreement.
4. An even greater need for a holistic view and system support
– We are facing a more complex reality today with more laws interacting. For example, the AI Regulation has now been finalized and will apply throughout the EU. We have the Data Act which was recently adopted by the EU. As data protection is an integrated part of systematic compliance work, the right tools like system support become increasingly important.
Personal data incidents have become more serious
– From a legal perspective, we see a general increase in personal data incidents. Earlier, the incidents were not as serious – now they really cause damage. We have seen companies that almost went bankrupt and citizens seriously affected. This must be taken seriously through preventive, continuous work focusing on how companies deal with incidents. It's not just an IT issue to be delegated to someone in IT, but issues that affect the entire company, municipality, or region.
Summary: How you should work with data protection moving forward
- It becomes even more important to work together in the future, between law, technology, information security, and the business at large. In law, it becomes more important to look at contracts and other legal documents. From a technical aspect, you need to review how you protect the company's information, what kind of access control you have, and how you work with information security.
This text is based on the presentation Agnes Hammarstrand gave in our webinar on cybersecurity, on November 16, 2023. The webinar also includes exciting discussions about, among other things, Dora and NIS2.
Do you want to know more about how Stratsys can assist you with your information security work? Read more about our product Information security & Privacy here, or contact us directly and we will be happy to tell you more.