Data Protection in Sweden

Security in Sweden

EU regulation

The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate, context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A 'one size fits all' approach is therefore the antithesis of this requirement.

However the GDPR does require controllers and processors to consider the following when assessing what might constitute adequate security:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Sweden regulation

There are no specific security requirements set out in the Data Protection Act. However, it should be noted that certain security related provisions are prescribed under the Patient Data Act (2008:355) when processing personal data, regarding e.g. confidentiality, access and disclosure.

Moreover, a two-factor authentication when accessing special categories of data over an open network and encryption when sending special categories of data are examples of previous recommendations from the Swedish Authority for Privacy Protection.

Back to top