General data protection regulation – why and what needs to be done

As of May 25, 2018, General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), a revolutionary, single EU-wide set of data protection rules, becomes enforceable. It applies if data controller (data collector) or processor, or the data subject (physical person) is EU-based. Personal data means any information relating to an identifiable natural person. Why do you have to know about GDPR? Compliance might be required by clients or partners, with whom organization shares data collecting or processing activities. GDPR can severy affect or disrupt some business models, such as online advertising and direct marketing. Non-compliance might cause fines up to 20 million euros. What do you need to know? If organization is based in the EU or collects or processes any kind of information related to an EU-based identifiable natural person, it would be wise to review the process of acquiring, processing, storing and erasing personal data now and make necessary amendments before May 25, 2018. If organization controls or processes the data, it is required to know:

• what is a legitimate basis for collecting the data (contractual, consent, law-based)
• has consent of data subjects been given in compliance with GDPR
• how, by whom and for how long the data will be processed
• who, when and what actions will take in case data breach would happen
• how to maintain records of processing activities
• how to minimise processing of data
• how to incorporate data protection in all processing activities
• how to ensure data portability

There are additional responsibilities, if an organization:

• performs automated decision making in regard to the natural persons (profiling)
• core activities consist of operations which require regular and systematic monitoring of data subjects
• processes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or sex life or sexual orientation

What needs to be done?

• identify all data flows in organization and corresponding business process owners
• define the scope of the compliance Project, appoint Project manager
• choose professional outsource law counsel, IT support
• identify and implement activities needed to comply, such as (the list is not exhaustive):
• review internal and external privacy policies,
• assess the process of obtaining and recording consent,
• evaluate processor or subprocessor agreements,

and make alterations to processes and documents where needed. Triniti partner Karmen Turk participated in the development of the EU GDPR legislation. Triniti associate Maarja Pild teaches Data protection at Tartu university. Law firm Triniti has a unique for the Baltic region, in-depth knowledge highly valued by clients, as many GDPR compliance issues require professional legal assessment. Triniti stands ready to help with evaluation of legal issues, development of documents and processes and employee trainings.