Republic / Articles /

Article updated 2025-04-16.
Written by Christofer Sandin.

A Guide to GDPR

One thing that has probably not escaped anyone's notice is the new EU law Global Data Protection Act (GDPR), which came into effect on May 25, 2018. The law is referred to as the General Data Protection Regulation in Swedish. We have tried to gradually understand GDPR, both before it came into force and afterwards, and below we present our view on the law and the data it regulates.

At Republic, we specialize in technology, design, and content. The legal text regarding GDPR and the published recommendations are not always easy to understand. Consider the following as some form of guide. If inaccuracies are discovered by you readers, or by ourselves, the texts below will be updated.

For legal questions, it is recommended to contact a lawyer to assess your specific situation. That said, we believe the following information is the most important to have in order.

What is GDPR?

First and foremost, GDPR is something very positive as it is a law that gives all people in the EU the right to protect their personal data. Many countries already had similar legislation, but it has been difficult to comply with since it varies from country to country. GDPR ensures that we have common guidelines for all 27 member states of the EU.

The law also entails a lot of work, but from a broader perspective, it is a significant step in the right direction that benefits us as individuals. It can be good to keep this in mind.

The purpose of the law is not to impose fines on as many companies as possible but to ensure that companies operate ethically and transparently with their customers' personal data, which many unfortunately do not do today.

The potential fine, or administrative sanction fee as it is called, of 20 million euros or four percent of global turnover (whichever is greater) was frequently mentioned in the media and by lawyers wanting to sell GDPR measures ahead of its implementation. Even in the webinars we have attended, organized by auditing firms and consulting companies, the potential fine was largely the focus.

However, there are certainly those who have to pay, and according to the Swedish Authority for Privacy Protection (IMY), formerly the Data Inspection Board, GDPR violations resulted in 150 million in sanctions during 2020, so if the ethical aspect is not reason enough, perhaps the fine amounts can be.

But, the intention of the law is not primarily to collect money but to achieve a more responsible management of personal data because the current practice leaves much to be desired. The more one knows, the more one realizes that it is necessary.

The two most important guidelines to keep in mind when making decisions are:

  • Collect as little personal data as possible from individuals
  • Be transparent about what is collected and why

What does the law regulate in practice?

For those who do not want to read the entire legal text, which includes us, one can generally say that the law dictates the following three things for all EU citizens:

  • “Right To Access”
  • “Right to Data Portability”
  • “Right To Be Forgotten”

Which is generally summarized with the following points:

  • Individuals have the right to know what data is collected and stored
  • Individuals have the right to know why data is collected and stored
  • Individuals must actively give their consent that it is okay to collect this data
  • Individuals have the right to edit their personal data
  • Individuals have the right to export the data that is stored about them
  • Individuals have the right to permanently delete data that is stored about them

All of the above points are things that are good to consider already in the planning stage when designing or developing a new website or web service where personal data is intended to be stored in some way.

Building in support from the start for users to be able to edit, export, and delete their data from the service on their own is therefore no longer nice to have but a legal requirement if one does not want to handle it manually, so it is best to plan for it directly.

Different roles and responsibilities

The law also distinguishes between the responsibility for ensuring that the above is followed. The two different roles are Data Controllers (which in our case are often our clients) and Data Processors (us and other suppliers that clients use).

There are also sub-processors, which are the subcontractors used, and it is good practice to be transparent about which services and suppliers are used - reasonably in a Privacy Policy or similar document.

The Swedish Authority for Privacy Protection has a guide for entrepreneurs and the Swedish Agency for Economic and Regional Growth has a guide for small business owners on verksamt.se – these can be a good starting point to get an idea of what is expected of you.

A data processing agreement is needed to handle data

As data processors, we must sign a data processing agreement, or a so-called Data Processing Addendum (DPA) agreement, with the Data Controllers (clients) we work with, which stipulates the rights and obligations that exist between us.

Data processing agreements are needed for suppliers who handle personal data.

We have developed a data processing agreement that we prefer to use with our clients. The reason is that it is not cost-effective for us as a small company to hire a lawyer for every client relationship, especially when that cost in some cases can compete with the project budget in size...

A Data Protection Officer may also be needed

In some cases, an organization must appoint a Data Protection Officer (DPO) who is named and responsible for ensuring that the company complies with GDPR. This primarily applies to larger organizations and those that process large amounts of personal data.

The role of the officer is to ensure that the data protection regulation is followed within the organization by, for example, conducting checks and information efforts, and this person is also the contact person for the authorities.

In Sweden, it is the Swedish Authority for Privacy Protection, formerly the Data Inspection Board, that is the authority that ensures GDPR compliance.

All individuals have rights to their data

All individuals who use a digital service or system have rights to their own data, which is referred to as Data Subject Rights (DSR) in English.

In most cases, it is absolutely easiest to give individuals the ability to both view, edit, and delete their information on their own. If this can be automated in the system, there is much time to be saved administratively.

If they cannot do this on their own, they have the right to submit a so-called DSR request, and if necessary, it must be clear who to contact. The law states that you as the responsible party must delete all personal data within 30 days from when an individual requests it. If there are no tools where this can be done on their own, then a manual process for this must be in place.

Responsibility for how data is stored and the obligation to report any leaks

From our perspective, it is each customer (Data Controller) and their respective hosting company that will bear the greatest responsibility for ensuring that the website/e-commerce solution/system meets the requirements set by GDPR regarding storage.

The hosting company is responsible because it is they who save and store the information, and the customer is responsible because it is they who collect data and use it in their operations. It is also up to the hosting company to ensure that storage and security meet the agreed standard, but also to report any data leaks to the affected persons, in cooperation with the customer, and to the authority within the legislated time frames if that happens.

It is also the customer's responsibility to ensure that collected data is not used for any purpose other than what it was collected for, as it is not allowed to collect data for one purpose and then use it for something entirely different. Then the individual's consent no longer applies.

We are of course happy to do everything we can to design and develop digital services and systems that comply with the General Data Protection Regulation, and we are happy to share what we know. We also try to inform our clients if we believe they may have missed something. To resolve these types of situations in the best way requires cooperation between the client and all their suppliers, and since we all share responsibility in one form or another, there is no other way to handle GDPR.

In which country is personal data stored?

The question of where the data is stored geographically is also up for discussion; we always try to use servers in the EU to facilitate for both our clients and ourselves. But almost everyone uses other services that in turn store data in, among other places, the USA.

Previously, companies could join an agreement between the USA and the EU called Privacy Shield, and then data could be shared between companies in the EU and the USA. However, the EU Court has recently overturned that decision, and therefore it is still a bit unclear what applies. Here are two articles that IMY has written on the subject:

Considerations

There is still much that is unclear. Some things are particularly tricky from a technical perspective, even if one has the best intentions in the world.

For example, consider a backup? If a user has been a customer for 12 months and then wants to be removed from the customer register - what do you do with the backups that exist? If there is a backup of the data for each day for the past 12 months, do you then have to go through these and delete the information in all instances, or is it enough to delete the data and let these backups be phased out gradually? As I said, I do not know today.

There are certainly cases where we are liable for the data that is stored; what does the law say if, for example, we have a development server that we own where we test things but where there may still be, albeit old, some form of customer data?

Or what happens if we work on projects on our computers? Even if we strive to work in the best way possible, it is practically unavoidable that we will come into contact with customer data in one way or another from time to time.

We are of course trying to clarify these types of questions for our sake, but of course also indirectly for our clients.

Finally, if you who are reading this have GDPR expertise and find inaccuracies in the text above, please feel free to contact us and kindly and concretely point out any inaccuracies supported by facts and references, and we will do our best to update the text.

What needs to be done on your website?

This is obviously difficult to answer in general, but the first thing that needs to be done is to figure out what personal data, if any, is being handled.

Once that is done, there are certain things that apply to everyone who collects personal data online:

  • Ensure that you do not collect more personal data than is necessary
  • Ensure that you are transparent about why specific data is collected when you ask customers for it
  • Clean up old data; if you have customer data last updated in 1998, it is probably no longer relevant and can be removed.
  • Ensure that the customer chooses to share their data.
  • Ensure that you do not use collected data for anything other than what you said you would do.
  • Ensure that customers can exercise their Right To Access, Right to Data Portability, and Right To Be Forgotten in a good way.
  • Anonymize data you do not need, such as IP addresses (a classic example is Google Analytics, which in many cases is just as useful with anonymized data).
  • Ensure that you specify which third-party services you use in a Privacy Policy.
  • Ensure that there is contact information for your Data Protection Officer or at least a clear way to reach you for an inquiry.

Opt-out of services that store personal data

The absolute easiest way to comply with GDPR is not to collect personal data. There are alternatives to Google Analytics and YouTube if you want to use services that do not collect personal data instead.

There are many good alternatives!

We understand that this may not always be a possible solution, but in many cases, one can at least minimize their data collection by actively choosing to use services that focus on not collecting more data than necessary.

Newsletters

One of the hardest parts is not the website itself but rather your registers of email addresses for newsletters and other promotional mailings.

When GDPR was introduced in 2018, there was a flood of letters from companies asking us to either confirm that we wanted their mailings or giving us the opportunity to review our settings. In most cases, this is due to the fact that they did not collect the email address in a serious manner from the beginning... The following quote sums it up well:

Check your mailing list—it’s a common misconception that GDPR means wiping your mailing list and asking people to resubscribe. This is not necessarily the case—if you’ve been building it ethically it may already be compliant; if you have explicit consent to retain an email address for everything you use it for (such as marketing) the user’s consent was opt-in and not assumed, you have a timestamp recording the time of the consent, the email address was not required as part of a transaction (as payment for a ‘free’ PDF for example), and there is a mechanism to withdraw consent, then you may be legitimately able to keep that address in your database. Some companies will find that it is less onerous to wipe their mailing list and start again, even if they could demonstrate proper consent. – Paddi MacDonnell

If you use a reputable service that includes the ability to easily "unsubscribe" and that you have collected the addresses for the purpose they are used for, there should be no problem at all. If you have purchased addresses or "faked" old addresses, you may want to rethink everything once again...

Examples of common setups that no longer meet the requirements

There are some ways that have previously been used to circumvent certain laws and regulations, but the following fairly common examples will not hold up under scrutiny anymore:

  • A pre-checked box that says "I want your newsletter" no longer holds; let the customer check the boxes themselves.
  • Complicated wording that makes it difficult to understand what is meant will not suffice; write clearly and simply.
  • Guardians must give permission for children under 16 years old, and this must be described and communicated in a way that is easy to understand for both children and adults.
  • General phrases that lump together a number of things such as "By visiting this site you agree..." will no longer be sufficient, and the customer must be informed and able to choose at each occasion you collect data.

Which parts of the website are most important to review?

GDPR applies when collecting personal data, not when publishing it, so the parts of a website that are most important to review are likely:

  • Forms
  • Cookies
  • Newsletters
  • Customer management

How do the providers Republic uses comply?

For our part, we use a few third-party services to deliver our services and our support to our clients. Here is a list of a couple of these and their guides and tips for complying with GDPR:

We try to choose providers that are transparent and have intentions to handle personal data correctly.

In addition to the above, many of our clients use other similar services, such as:

References

In any case, if you have made it this far down, I hope you have appreciated the content. Again, this is not legal advice, but there are at least many hours of article reading and pondering behind the text, so consider it some form of guide.

If you would like to discuss your specific situation, please feel free to reach out.

Articles

Podcasts

Examples of Data Processing Addendum