We provide expertise in every aspect of data protection

Incident management and impact assessment

”Our IT provider has informed us that someone unlawfully accessed our organisation’s IT system – how should we act?”

Personal data breaches take place on an almost daily basis. If a personal data breach occurs, the breach must – according to the general requirement in the GDPR – be reported to the supervisory authority within 72 hours of becoming aware of the breach. However, there are exceptions from the reporting obligation. If the breach is unlikely to result in a risk to data subject’s rights and freedoms, the breach does not need to be reported. In order to assess the risk it is crucial to immediately get an overview of the situation and involve the IT provider to investigate what type of information has been affected and how and whether there is an obligation to report the breach.

To mitigate the risk for incidents, an organisation must carry out an impact assessment if a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. Our team at Wikström & Partners regularly works with managing incidents and impact assessments - do not hesitate to contact us if you need assistance.

Personal data processing agreement and documentation obligations

“Why do we have documentation obligations?``

The purpose of the documentation requirements is to protect each individual from having their personal data processed incorrectly. To ensure this, there are several documentation requirements in the GDPR and national legislation. Some of the requirements have existed for a long time but have been brought to attention by various organisations when GDPR began to apply. One such requirement is the prerequisite of personal data processing agreement with, for example, its IT supplier. Such an agreement must contain several requirements that were not previously explicitly stated in the legal text. If you have personal data processing agreements written in accordance with the previous legislation, it is appropriate to review the agreements and discuss the need for such an agreement for each new supplier you work with.

Data Protection Officer (”DPO”)

``Our organisation handles a large amount of personal data - do we need to appoint a DPO?``

GDPR and national supplementary regulations contain a number of different criteria that govern whether you need to appoint a DPO. The main rule is that an authority always needs it while other actors must appoint a DPO only under certain conditions. Sometimes your organisation is not obliged to appoint a DPO, but it can still be recommended. We assist a large number of organisations with legal advice regarding their considerations of appointing a DPO. We also act as an external DPO for a number of public and private actors.

Get in touch with us


Phone: +46 (0) 8 410 613 40



We are happy to assist you with the legal process of data protection.
Don’t hesitate to reach out to us with your questions!