Personal Identifiable Information (PII) has become a headache for most digital-first businesses in recent years. Everyone agrees we need rules to keep personal data safe, but there’s no universal PII Data Protection Act we can all follow. Instead, there is a worldwide patchwork of regulations, many of which have global implications.

Sweden is one of the pioneers in data security laws. The Riksdag passed one of Europe’s first digital privacy laws as far back as 1973, creating rules about subject consent, data storage, and cross-border data transportation.

Even back then, Sweden struggled with the many problems that arise from creating a workable PII data protection act. How do you protect individuals without drowning businesses in red tape? How do you have an open society while allowing people to control their privacy? And, most importantly, how do you keep data safe?

Fast forward to 2020, when Sweden adopted a two-pronged approach: the Protective Security Act and the Swedish implementation of GDPR. Both of these laws have significant implications for businesses, even those based elsewhere in the world.

What does that mean to your business?

 

Protective Security Act

Cybersecurity has become a political issue in recent years, with many nations fighting a new Cold War online. In 2019, Sweden implemented a new Protective Security Act, Säkerhetsskyddslag (2018:585), which extended the previously existing security act.

This law governs entities that handle data essential to the security of the state. That includes energy, water, transportation, defense, law enforcement, finance and banking, healthcare, and digital infrastructure. It also includes anything that the Swedish government deems to be a key digital service provider. These rules apply to any company that operates in Sweden, whether domestic or based abroad.

The Swedish government’s white paper on national cybersecurity states:

"The open democratic society is dependent on the ability to maintain the desired confidentiality, integrity, and availability when handling information. This means that both the information itself and the systems used to store and transfer that information must be protected."

If this law impacts your company, you have to work with the Swedish authorities to ensure that your data infrastructure is secure against attacks. This can involve working with national security agencies such as the Säkerhetspolisen, or Swedish Security Service. They will offer guidance if required, and in some circumstances, they may be able to provide operational support.

Businesses also have to report breaches and hacks, including those where parties have accessed PII. These reports go to the Myndigheten för samhällsskydd och beredskap, or the Swedish Civil Contingencies Agency.

Do you need to worry about this law if you’re not providing an essential service? Possibly. It’s up to lawyers to decide exactly who falls under the Protective Security Act. But consider this: during the Covid-19 pandemic, we saw everyone from retail workers to schoolteachers designated as essential service providers. Anything can happen, so automatically assuming this law will never apply to your business could be unwise. That's why many businesses in Sweden are adopting the Protective Security Act framework as the basis for their security strategy, even if they’re not legally obliged to do so. It’s a good way to secure sensitive data such as PII, and it is a step towards GDPR compliance.

GDPR in Sweden

As an EU member, Sweden has been one of the primary architects of the General Data Protection Regulation. GDPR now stands as perhaps the most robust PII data protection act in the world.

GDPR is a European law with global consequences. Any organization that obtains, processes, or stores data relating to an EU citizen has to follow the rules, even if that organization isn’t based in Europe. The main principles of GDPR are:

  • Subject consent: The person described by data, known as the data subject, has complete control over their information. Organizations must ask for explicit consent before gathering any PII, and they must explain their data policy in clear language. Data subjects can request a copy of their data at any time. They can also ask you to remove their data entirely.
  • Breach reporting: If any unauthorized party gains access to PII, the data owner must report the breach to the relevant national authority. In Sweden, this is the Swedish Data Protection Authority or Datainspektionen. This body will study the nature and impact of the breach, and they may take punitive action against the data owner.
  • Internal controls: All organizations must implement structures that help ensure high levels of data security. This includes setting up adequate security measures and using the right technology to keep data safe. It also means appointing a Data Protection Officer who helps to draw up security policy per GDPR. The DPO is also responsible for reporting breaches. 
  • Activity logging: Organizations have to be fully accountable for everything that happens to PII. This includes internal auditing so that they can track any edits that may have occurred, including data integration. Each organization also needs to monitor third-party data processors that provide additional services. If a data processor breaks GDPR, the data owner is liable.

EU countries promised that they would enforce GDPR with hefty fines, and they were not kidding around. Google has already faced the wrath of the Swedish authorities, who imposed a fine of SEK 75 million (around $8 million) for failing to process data deletion requests Right to Be Forgotten rules.

The municipality of Skellefteå was also fined SEK 200,000 (around $22,000) for a GDPR breach at a school. While this fine was relatively small, it proves that Swedish authorities are serious about data privacy.

 

Staying Compliant with Sweden’s Data Privacy Laws

As is the case in all EU countries, Sweden does not have a native PII data protection act. Instead, businesses operating in Sweden must consider the impact of these two data-centric laws.

While compliance can be a pain, these laws should ultimately align with two of your core objectives:

  • Keeping data safe: Cybercrime is a rapidly evolving threat, with small hacking groups and state-sponsored espionage teams both looking for weak spots. If you comply with the Protective Security Act, you know that you’re secure against most threats.
  • Building customer trust: People trust you with their most sensitive information. If you’re GDPR compliant, it means that you’ve got robust safeguards in place to protect that information. You’ve also got a clear data policy that allows people to control their data.

 To meet these requirements, you need to ask the following questions:

  • Do we have the right policies? Compliance and security are both aspects of good data governance. Do you have a governance framework that supports operations while keeping data safe? How does your organization avoid compliance issues? How do you prepare for future compliance rule changes?
  • Do we have the right people? People are often the weakest link in data security. Review your training and certification programs and ask if they’re up to date. Does everyone know how to keep data safe? Do they know how to handle a breach?
  • Do we have the right infrastructure? Data rarely sits still. Your business most likely has a complex series of system integrations, with data continually moving between servers. Are those servers secure? Are the connecting data pipelines protected by robust encryption?
  • Do we have the right partners? Cloud computing means a greater dependence on third parties to take care of your data. This doesn’t have to be a problem, as long as you choose your partners wisely. Are your partners fully compliant with GDPR and the Protective Security Act? Will they transport data outside of the EU? How do they protect data on their side?

As you can see, compliance with Swedish law is more than just security theater. By following these rules, you’ll create a robust and reliable data infrastructure that protects you and your customers from threats.

How Integrate.io Can Help

If you’re dealing with Sweden’s laws, or with a PII data protection act anywhere else in the world, Integrate.io can help.

Integrate.io is an ETL (Extract, Transform, Load) platform that takes data from your critical systems, transforms it into the right format, and then loads it to a data repository. This is a sensitive operation that can leave your data exposed, which is why Integrate.io offers:

  • Field-level encryption that meets Protective Security Act standards
  • Full end-to-end GDPR compliance
  • Constant verification of encryption algorithms and security certificates
  • SSL/TLS encryption for all websites and microservices
  • Top-tier physical security provided by Amazon’s data centers
  • Firewall-based access control so you can manage the protocols and ports that access your systems.

Most importantly, Integrate.io ETL adds a layer of security to your data operations. Each database has a one-to-one integration with Integrate.io, which significantly reduces data exposure.

Schedule a call with our support team to arrange a 14-day risk-free pilot and find out how Integrate.io can turbo-charge your analytics while keeping your data safe.