Before the fire starts… DPOs in Sweden
January 27, 2015
In recent months, from Malmö in the south to our capital Stockholm on the edge of the Baltic Sea, the PwC Risk Assurance team in Sweden has been running seminars for clients on the proposed EU General Data Protection Regulation (GDPR).
I was taken by surprise at the level of interest from the audiences. They don't just sit and listen politely. They take notes, raise questions and participate actively in discussions – reflecting what an important topic of conversation this is.
There has been a clear consensus from businesses in Sweden that they need to prepare for the appointment of a Data Protection Officer (DPO) before the GDPR is approved, even though it cannot be guaranteed that the proposed requirements will survive into the final version of the legislation.
Under the current Swedish Data Protection Act (in Swedish: Personuppgiftslagen, PuL) a Personal Data Representative (PDR) is voluntary – a role comparable to that of the DPO. According to the Swedish Data Inspection Board there are 4,400 PDRs appointed by 7,100 businesses in Sweden (one PDR can serve several businesses).
It would not be a huge leap for an existing PDR to take on board the principles of the GDPR, and, with some extra training, obtain the necessary credentials to be appointed as a DPO. This approach would make clear and obvious sense rather than introducing someone without previous experience in data protection and privacy - even if it would take at least half a year to learn the skillset required of a DPO. This judgment is based on my experience with two multinational corporations with whom I have recently conducted privacy projects.
Making decisive decisions avoids losing valuable time. Businesses will lose out if they are reactive to the requirements of the GDPR.
In Sweden there are approximately 1 million companies. It goes without saying that not all of them will need to appoint a DPO, but it is clear that appointing someone with previous experience will not be possible for most businesses if they act too slowly.
I am troubled that some businesses are so relaxed about this potential problem. It is all too common to focus on fighting one fire at a time, rather than planning before the fire starts.