Faculty of Medicine's internal website


General Data Protection Regulation (GDPR)

Summary of GDPR EVENT 29th of May

Did you miss the GDPR-event at 29th of May? Find out what GDPR means to you and your research.

"Dataskyddsförordningen" is the Swedish name for “General Data Protection Regulation” (GDPR) which comes into force on 25 May 2018.

Dataskyddsförordningen will replace dataskyddsdirektivet and the Swedish personuppgiftslagen. The regulation applies to all personal data processing at the university, ie. such information which directly or indirectly makes a living person identifiable.

What do you need to be aware of?

Below are a few examples:

  • The burden of proof lies on the university that data processing is legal and correct.
  • All personal data processing needs to be registered at the university before you can start.
  • Based on GDPR, an individual has the right to know how his or her personal data will be used, however there are exceptions.
  • Built in data security is required, which means that IT systems and routines should be configured with data security in mind.
  • Data collection and usage should be minimized. You should explain how the data you intend to process is relevant and limited to the purposes of the research project (in accordance with the data minimization principle).
  • You should describe the security parameters that will be taken to prevent unauthorized access to personal data, and the technical and organizational measures that will be implemented to protect the rights and freedoms of the registered research participants.
  • The regulation applies to all personal data processing at the university. It does not matter territorially where the data is collected or stored. Neither does it matter if the data is encrypted or encoded, as long as it is possible to restore the link to the individual.
  • GDPR applies to all of the university's collaboration projects, even in cases where personal data is transferred from a non-EU country to the EU.
  • In cases where personal data is transferred from the EU to a non-EU country or international organization, you must confirm that such transfers are in accordance with Chapter V of the GDPR.
  • When a type of processing –  particularly using new technologies – and the nature, scope and context is likely to result in high risk to the rights and freedoms of individuals, the inspector must, before the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
  • When processing patient data, genetic data and health-related data, you need to map privacy risks, document personal data processing, evaluate risk levels in managing personal data and establish a plan of action = data protection impact assessment (DPIA).
  • Evaluate the risks associated with the project's data management. This also includes an impact assessment if a DPIA should be carried out. The risk assessment and opinion must be submitted.

New legislation coming

In order for research to be possible, new legislation - the national law forskningsdatalagen (the research data law) will be passed; when this will happen is yet unknown.  If you are processing sensitive personal data, such as information about a person's health, you will continue to be required to obtain ethical approval, even in the future.

Why all the fuss about GDPR?

The protection of personal integrity is one reason for taking the regulation seriously. In case of violation, an organisation may be liable to pay a penalty of up to EUR 20 million, or up to 4% of its global annual turnover in the previous financial year. Organisations conducting research, such as universities, are rumoured to get away with SEK 10 million.

Site overview