At the moment, we are working on preparing Areff and its staff for GDPR, the General Data Protection Regulation (Regulation (EU) No 2016/679 of the European Parliament and of the Council), which is in operation in May 2018.
“Start in time, keep close eye on the process and check of the list” – those are the tips Fredrik Martinsson, co-owner and project manager for the introduction of GDPR at Areff Systems AB gives in terms of the introduction of GDPR. He continues: “GDPR is not an IT issue, it concerns all staff and all systems on Areff and covers both our internal personal data and the external personal data from our customers.”
What do the IT manager say?
“I think we have started well in advance and have already included all employees at Areff, from the finance department to production. In our industry, security and integrity and the rules of the Personal Data Act, PuL, have always been important. Now we get a more formal regulatory framework to work with, then its important to include everybody. “, Says Bernt Karlsson, co-owner and CEO at Areff.
“Many routines are already in place and some are new and need to be implemented soon. The work is in progress and we are keeping an even pace. It feels good “, says Christian Kuhr, IT Manager and Technician at Areff.
In our work at Areff we divide the project into two main parts; Handling of employee personal data and handling of our customers personal data.
Personal data relating to employees are personal identification numbers, e-mail management, salaries, pensions, vacations, possible illnesses, but also participation on Areff’s website and other marketing materials such as leaflets and product catalogs. GDPR includes a plan for ALL personal data relating to the employee and information that can be linked to the employee. To meet the requirements, we look at our entire information structure. In that work, we have developed a structure to properly save and protect the information we need, but we have also identified some data that can be cleared.
“The main rule we use in terms of personal data is to ask the question – Do we need this information? If not, discard it immediately. “- explains Christian Kuhr.
Documentation such as photography and filming must also be done with the employee’s consent. Here, the solution is to structure information in such way so it is easy to erase or organize as needed, as well as to protect the information with a higher IT securitylevel. This includes publications and social media – where we have a policy on how to publish and why we publish and that consent should be issued between the parties before publication.
“Working with web and marketing materials while following the GDPR will be challenging. For our part, it will be important to ensure that our material is good and cool and follows the GDPR, and that we have agreement with the people involved “- describes Charlotte Jolin, Marketing Assistant at Areff.
As far as our customers’ personal data are concerned, we have worked according to the guidelines in PuL, which is the current legislation. This allows many principles and tools to handle names, e-mail addresses and, in some cases, more sensitive information such as social security numbers are already in use on Areff. However, we will work through the entire structure to ensure that the information is handled in a proper way. “We will also provide some data with a higher security class as well as clear data that is not legitimate for us to save and use.” – says Fredrik Martinsson.
Personal data used in order management also a matter of GDPR, but in this case we also take into account the accounting laws that already exist. “We are required to save our bookkeeping for at least seven years and as before, we will do it in the most secure way possible.” – explains Emelie Gustafsson, Economic Assistant at Areff.
“We are constantly working to improve our IT environment and its security. The IT system is one part in the introduction of GDPR, the fulfillment of GDPR can not be solved by changing or improve only the IT system or implement a lot of new online tools. Meeting the requirements of GDPR requires a changed and more restrictive way of looking at personal data as well as the ability to introduce new routines and practices in the organization. “- explains Fredrik Martinsson.
We will continue to work and be as ready as one can be May 2018. We have also started projects together with existing customers to look at their solutions and assist in ensuring that they meet the GDPR on time.
“GDPR can be seen as very bureaucratic and will complicate some of our work, but the purpose, to increase the protection of the individual’s personal data, I think weigh heavier.” – concludes Fredrik Martinsson.
Read also – IT Lawyer Checklist: This is required to comply with the EU Data Protection Ordinance