In just a little over one year everyone will need to be compliant with the new General Data Protection Regulation* that was adopted and entered into force in 2016 and which involves significant changes in the existing regulation under the Personal Data Protection Law (PDPL). This makes the regulation a matter that calls for the attention of all businesses, institutions and organisations that process personal data, i.e. carry out any activities involving information on individuals.
Compliance can be achieved through implementing technical and organisational measures such as drafting internal rules on data processing,
appointing a data protection officer and maintaining a data processing log.
Consequently it takes some preparation. As the Regulation introduces a few new responsibilities it stands to reason to start preparing in due time and
determine the key risks and priorities and plan the implementation activities
and relevant resources.
Below is a description of the key changes stipulated by the Regulation.
It effectively means that preparations for the Regulation can be started without waiting for a new law that would detail how the Regulation applies to Latvian businesses, institutions and organisations.
For example, businesses will be required to provide such information to new employees upon hiring, and to customers who are individuals upon signing a service agreement or upon registration for a customer loyalty programme or applying for news in e-mail.
For example, if a business stores personal data of his/her employees or clients on servers or clouds maintained by another business and if newsletters, invoicing or client satisfaction research is carried out on behalf of a business or organisation by another business then the provider of these services may be considered to be a processor.
The Regulation requires that the data security guarantees expressed by the processor should be checked prior to signing the contract and the contract may be signed only when such guarantees are deemed to be sufficient. Compared to PDPL, the Regulation has significant new requirements for the contract with a processor.
For example, to demonstrate compliance with the principle that it is permitted to process personal data only as long as the relevant purpose for data processing exists it should be laid down in internal documents what storage periods apply to relevant types of personal data and evidence must exist to confirm destruction of personal data after the appropriate period. Likewise, to demonstrate whether and how guarantees made by processors are checked there should be an act in place regarding such a check and the entity should have internal regulations on how to check guarantees made by processors. Confirmation should be provided also with regard to technical data protection measures, for example if encryption is used the entity should be able to confirm the fact.
It must be pointed out that the new obligation to demonstrate compliance implies that the regulation may be violated and a fine may be imposed as a result of a mere formal irregularity such as the lack of appropriate internal regulations.
For example, the reporting obligation would arise in case a laptop has been stolen or lost or an e-mail has been sent in error to the wrong addressee.
For example, a DPO will need to be appointed in all central and local government institutions, and one may be required in hospitals, credit institutions, insurance companies etc.
The above is not an exhaustive list of the responsibilities provided by the new Regulation but it clearly shows that preparations should be made to achieve compliance and it is crucial that various specialists cooperate during the process, such as lawyers, IT, human resources, risk and project anagement specialists. It is therefore recommended to start preparing as soon as possible to be able to meet the deadlines for implementing all the requirements.
*Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, which is applicable from 25 May 2018.
Author: Sanita Pētersone, Senior Associate, KPMG in Latvia.
© 2017 KPMG Baltics SIA, a Latvian limited liability company and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.