Compliance - Digital tools and personal support

Implementing AI in an organization today is not merely a technical challenge, but very much a legal and security-oriented one. In a conversation between Lantero and expert Joakim Karlén (in Swedish), we highlight the complex issues that arise when Large Language Models (LLMs) encounter European legislation such as GDPR and the new AI Act. ### Innovation in the US, Regulation in the EU Technological development is largely driven by American companies, but for Swedish and European organizations, local legislation sets the boundaries. Joakim Karlén notes that the current dynamic is challenging because the pace of innovation is lightning-fast while regulation is brand new. There is still a lack of clear legal precedent and court rulings, which places high demands on an organization’s internal capacity for risk analysis. ### The Clash Between GDPR and AI Dynamics One of the most central questions is how AI systems—which are by nature dynamic and non-deterministic—can live up to GDPR’s requirements for accuracy. Traditional IT systems are static; you know what you input and what you will get as output. An LLM works differently. By simulating human behavior with a degree of randomness, the output is not always predictable. This creates fundamental uncertainty regarding individual rights and the accuracy of the processed data. ### From Chatbots to Autonomous Agents We are seeing a clear shift from simple chatbots to autonomous agents capable of performing tasks independently. This introduces new risk vectors. Joakim emphasizes that an organization deploying an AI system is considered a "deployer" under the AI Act and thus bears the legal responsibility. This becomes particularly critical when agents are given the mandate to act without human intervention. The risk of incorrect decisions or random behavior means that traceability—the ability to explain why a machine acted in a certain way—becomes both a technical and legal challenge. Not least when it comes to cybersecurity. ### Internal Risks and "Oversharing" While many focus on external hackers, one of the greatest risks is internal. The concept of "oversharing" describes when an AI agent, due to a lack of permission management or classification, gives employees access to sensitive information they are not authorized to see. Protecting the "machine" itself and its access to internal data sources is therefore just as important as protecting the raw data. ### Methodology Wins in the Long Run To succeed, Joakim suggests a methodical approach. Instead of simply "trial and error," organizations should begin with a holistic analysis based on the AI Act, GDPR, and cybersecurity legislation (NIS2). By understanding the purpose of the technology and maintaining control over the information structure, you can build correctly from the start.

Below is a lightly edited version of an interview (in Swedish) we conducted with Sara Johansson, who works with whistleblowing assessments at Lantero. We asked her what new case officers need to keep in mind when they start handling whistleblowing cases, what types of situations they may encounter, and which common pitfalls to watch out for. Interviewer: When someone steps into a role as a new case officer in a municipality and begins working with the whistleblowing function, what should they keep in mind or expect? Sara Johansson: You’ll need to find a way to separate the wheat from the chaff, because many of the reports you receive are not, in fact, whistleblowing cases. They may involve an employee having issues with their manager, comments on organisational efficiency, or opinions on how things are structured. These are typically not whistleblowing matters. Then there are cases where there is actually something to look into. In those situations, you need to determine whether the reporting individual belongs to the protected group under the legislation, and whether the report concerns a public-interest wrongdoing. This might involve signs of corruption, serious conflicts of interest, or questionable recruitment processes carried out without proper advertising. In some types of operations, there may also be risks to patient safety or collaboration difficulties in critical environments. The key is to identify and distinguish these cases from the rest. Interviewer: There is a lot of legislation underlying this work, and case officers need to apply it in their assessments. And in many organisations—especially smaller ones—actual cases are infrequent. How should one stay up to date on these issues? Sara Johansson: One challenge is that there are very few court decisions in this area, which means there's not much case law to rely on. My recommendation is therefore to read everything that is published: follow relevant accounts on LinkedIn—ours, for example—and stay updated on news reporting around the topic. At the same time, you need to keep in mind that there is a clear sequence for handling these cases: there must be a wrongdoing, and it must concern a group defined as the public. Interviewer: And if someone has questions? Sara Johansson: Then they contact Lantero. Interviewer: Do you have an example of a situation that may arise—something many case officers will encounter early on? Sara Johansson: Do you want an example of a case that isn’t a whistleblowing matter? Because most cases are not. Interviewer: Yes, describe that type of case. Sara Johansson: The most common goes something like: “You have to do something. We can’t take it anymore. Our manager has completely lost control.” Then follows a long description of everything that is not working. This is by far the most common scenario. Interviewer: And what is your advice to the client in that situation? Sara Johansson: My advice is to explain that this is not a serious wrongdoing under the law, but something that needs to be addressed through another process. Often, you raise it within the organisation as a tip—an indication that the organisation should take a closer look at how the work environment is functioning—rather than treating it as a whistleblowing case. Interviewer: If you have further thoughts or questions on this topic, you are very welcome to contact us. Otherwise, we wish you the best of luck—and thank you for watching.

When a public authority receives a request to disclose documents, the same question often arises: how much may – or must – we redact in a whistleblowing case? Many case officers find this difficult, as whistleblowing cases involve sensitive information while the principle of public access imposes strict requirements to release documents. We interviewed Andreas Wahlström (in Swedish), who works with assessments and redaction of whistleblowing cases at Lantero. He explains both the legal requirements and the practical challenges faced by municipalities and government agencies. Andreas reminds us that public documents are, as a rule, public. This means that “anyone has the right to request a whistleblowing report.” But the obligation to disclose also comes with a significant responsibility to redact. This applies to both directly identifying information and indirect details that could reveal the whistleblower. Redaction is therefore a central part of managing whistleblowing cases. The legal basis primarily comes from two chapters in the Swedish Public Access to Information and Secrecy Act: OSL Chapter 32, Section 3 b and OSL Chapter 17, Section 3 b. These regulate the protection of reporting individuals – as well as other persons mentioned in the report. In practice, the guidance is clear: redact rather more than less. If there is any uncertainty, the case officer should act cautiously to protect everyone involved. For many case officers in municipalities and government agencies, redaction is still a manual process. Andreas notes that in the past six months, new tools have emerged that make the work both faster and safer. These tools propose what should be redacted, simplify the workflow, and help the case officer produce a document that can be safely disclosed. One such example is Lantero Redact, a tool developed to help public-sector organisations manage redaction in accordance with legal requirements. It provides concrete suggestions on what to redact, is easy to use, and ensures that the material is properly anonymised before disclosure. For those who want to dive deeper or need support in a specific case, Andreas and the team at Lantero are available to help. Redaction is not only a legal requirement – it is also a crucial part of maintaining trust in the whistleblowing function and protecting reporting individuals.