Swedish Custom (Tullverket) – Order (Sweden, 2020)

On their own initiative and as part of their mandate as a supervisory authority, the Swedish DPA (Integritetsskyddsmyndigheten) conducted an audit of seven law enforcement agencies in Sweden: the Police Authority, the National Economic Crimes Bureau, Customs, the Tax Agency, the Coast Guard, the Prison and Probation Service and the Prosecution Authority. The audit concerned the law enforcement agencies' policies and procedures for personal data breaches, specifically related to: 1) Ability to detect and manage breaches 2) Documenting breaches 3) Staff training The audit was conducted as per the Criminal Data Act; the privacy and data protection law in Sweden for law enforcement agencies, which is based on the same principles as the GDPR. Do Swedish Customs have sufficient policies and procedures in place to detect, manage and document personal data breaches, as well as sufficient staff training routines? No serious violations were found, however the DPA gave several (similar) recommendations as per the Swedish Criminal Data Act to all agencies. The Swedish Customs received the following recommendations: 1) To regularly evaluate the effectiveness of the security measures around detecting personal data breaches and regularly revise these in order to maintain adequate protection of personal data. 2) To review their policies around technical logging and following up on these to detect any discrepancies in systems. Update the policy as per the current legal regime. 3) Prepare a common document with all written guidelines/routines related to personal data breaches. 4) Regularly control that the policy for managing breaches are adhered to. 5) Specify in the policy document which information must be documented in a breach and regularly check that this is done correctly. 6) Provide its employees with continuous information and recurring training.