Data Protection Officer, DPO
The Data Protection Officer (DPO) is the organization’s contact person for privacy issues, both against customers and the supervisory authority. The Data Protection Officer is responsible for ensuring that the organization has procedures and policies in place, and that the Privacy Impact Assessment is updated. DPO is not just a title, the person appointed as Data Protection Officer has great responsibility and a key role in the company’s work on compliance with GDPR.
Personal data is data that can be linked directly or indirectly to a living person.
Examples of direct personal information are name, user name, password, home address, telephone number or e-mail address.
Indirect personal data is data that can be linked to a person, such as information on ethnicity, if the person has children, what they have traded for goods or driving for car.
Personal data incident / personal data breach
A personal data incident is inaccurate disclosure of data. This may, for example, be data that has been hacked or stolen, exposed on the Internet, spread via e-mail or used incorrectly, by carelessness or mistake.
The incident is considered to be extra serious if it involves many people’s personal data or extra sensitive information about individuals.
In the event of a personal data incident, anyone who handles personal data is obliged to promptly inform both the affected individual and the supervisory authority (Datainspektionen in Sweden).
Data Privacy Impact Assessment, DPIA
Data Privacy Impact Assessment (DPIA) is an impact assessment that answers the questions how, where, when and why the organization handles personal data. The Data Privacy Impact Assessment also includes a risk analysis of the personal data processing. The DPIA must be updated every time any parameter changes.
Privacy by design
Privacy by design means enabling privacy protection on a strategic level. In practice, this means to design systems that do not unnecessarily expose personal data. In this case, ‘systems’ is not limited to technical systems; it also involves the company’s policies, processes and systems.
Privacy by default
Privacy by default is privacy protection at the operational level, ie the technical system level. Efforts to establish privacy by default includes encrypting personal data or separating different types of data into different systems.