Sweden’s Data Protection Authority Reshapes Its Organization for Risk-Based Oversight

Key Takeaways

• Organizational Restructure: IMY has split its operational work into two departments focused on supervision and complaints, and on guidance, innovation, and technology.
• Risk-Based Supervision: The new structure is designed to strengthen IMY’s ability to prioritise supervision based on risk to individuals.
• Clearer GDPR Guidance: A dedicated department aims to make GDPR guidance easier to understand and apply in practice.
• Leadership Continuity: Existing department heads Charlotte Waller Dahlberg and Malin Blixt will lead the new units.
• Digital Focus: A new digitalization and IT department highlights IMY’s investment in its own technological capabilities.

Deep Dive

Sweden’s data protection watchdog is starting 2026 with a quieter but meaningful internal reset, one that reflects how enforcement, guidance, and technology are increasingly intertwined in day-to-day GDPR oversight.

As of January 1, the Swedish Data Protection Authority (IMY) has reorganized its operational work into two core departments: one focused squarely on supervision and complaints, and another dedicated to guidance, innovation, and technology. The aim is not simply administrative tidiness, but a clearer division of labor that allows the authority to supervise more strategically, respond to complaints more efficiently, and communicate GDPR expectations in a way that is easier for organizations to apply in practice.

Under the new structure, the Supervision and Complaints Department brings enforcement and complaint handling together, reinforcing IMY’s push toward more risk-based supervision—which is an approach that prioritizes cases where data protection failures are most likely to harm individuals. Running in parallel, the Guidance, Innovation and Technology Department is tasked with strengthening how IMY explains and interprets GDPR, while keeping pace with technological developments that increasingly shape compliance challenges.

Leadership continuity is a deliberate feature of the reorganization. Charlotte Waller Dahlberg will head the Supervision and Complaints Department, while Malin Blixt will lead the Guidance, Innovation and Technology Department. Both previously served as department heads within IMY, a move that signals evolution rather than upheaval inside the authority.

For IMY’s Director General Eric Leijonram, the changes are part of a broader effort to make the regulator more effective and easier to engage with.

“The new organization is streamlined based on our tasks,” Leijonram said, adding that the goal is to strengthen IMY’s ability to conduct risk-based supervision, deliver clearer guidance that supports GDPR compliance, and handle complaint cases more efficiently.

The reorganization does not stop there. At the same time, IMY is establishing a new department for digitalization and IT, underscoring how central technology has become to regulatory work itself. The department will focus in part on developing IMY’s own digital capabilities. While a permanent department head is being recruited, the unit will be led on an interim basis by Håkan Larsson, who currently heads operational support.

The changes point to a regulator that is refining how it operates rather than reinventing itself. For organizations subject to GDPR, expect supervision that is more targeted, guidance that is meant to be more usable, and a data protection authority that is investing internally to keep pace with the realities of digital regulation in 2026.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.