The University has worked frantically during the spring to ensure that we live up to the new requirements. The University’s Information Security Coordinator, Benita Falenius, has, together with the members of the GDPR project, visited all departments in order to take stock of what personal data is being processed and what systems are being used. In addition, they have participated in information meetings about GDPR. By the middle of May, nearly all departments and administrative units had made a record of processing activities, where they listed how personal data were processed and for what purposes*.

Data protection officer and a new council

The President has designated a data protection officer as required by GDPR. The data protection officer should ensure that there is a legal basis for processing personal data, confirm that the necessary precautions are taken to make sure that everything is done in a secure manner, as well as minimise the risk of personal data incidents. The data protection officer is Benita Falenius from IT Services. Her responsibilities include ensuring that the University’s IT support and procedures are compliant with the regulation, giving advice on how to process personal data, monitoring compliance with the data protection regulation, and cooperating with the supervisory body, the Swedish Data Protection Authority.
The President has also decided to establish a council for data protection. Benita Falenius has been commissioned to, in consultation with the GDPR project group, prepare a basis for a decision on the composition of the board.

Benita Falenius

Instructions to be issued on 20 June

The next big step in the work relating to GDPR are the instructions on how to implement the law in the University’s operations. The instructions will be published at There you will find information about the rules regarding the disposal of documents, cloud storage, personal data on the web, etc.
The University’s IT archivist has developed guidelines concerning, for example, the disposal of documents. These will be specified further in the instructions, but it is still too early to tell exactly what the legal interpretation of GDPR will be. Terms such as “public interest” and “archiving purposes” have to be interpreted by the European Court and other judicial bodies in the member states.
What, then, does Benita Falenius say to those who were not able to finish all the preparations for GDPR by 25 May?
“They do not have to worry. Not everything will be done when the regulation enters into force, but there has to be a plan for how the work at Stockholm University will proceed. Since the University has created a record of processing activities and made other preparations, we should be in a good position.”

* The head of department/unit manager is responsible for ensuring that there is a record of processing activities and that all members of staff are aware of how personal data are being processed (e.g. in research projects that process personal data).