If you have a policy, make sure it is documented, if you have a procedure, document that too…else..


Well it seems that another government authority in Sweden has been fined 120 000 kr (circa €12k) by the Swedish Data Protection authority. The region (county) of Örebro, and it was the heath authority, and it was sensitive data.

What is important in this case, is that although they had procedures, they were not documented, it was word of mouth… oopps, and this is not good enough. Where is the evidence?

Clearly processing of sensitive data means that extra care must be taken, but what is key here outside of this is that Article 5.2 of the GDPR requires accountability, which means there must be evidence that 5.1 is being adhered to.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.