Private sector and GDPR dr. iur. Ants Nõmper 7th September 2017

1 2 3 contents Identification of new required implementations Legislative obstacles 3 IT-technical obstacles

1 IDENTIFICATION ISSUE: Is data protection relevant? What are the main changes? Lack of knowledge that data protection is important Confusion and panic produced by media No material changes in data protecion in Baltic countries Data protection will be more important to private sector Private sector cannot ignore data protection

1 IDENTIFICATION First step: data protection compliance audit SOLUTION: First step: data protection compliance audit Second step: updating documentation, action plans Third step: data protection trainings to employees

1 EXAMPLE Lithuanian beauty clinic processed client data, including before-and-after photos Data security measures were not followed Client data was leaked Consequences before GDPR: low fine Consequences after GDPR: large fine

COOPERATION PARTNER CONTRACTS 2 LEGISLATIVE OBSTACLES Common mistakes CONSENTS COOPERATION PARTNER CONTRACTS INTERNAL RULES Pre-ticked Internet and e-mail use is not regulated Personal data processing is not regulated Data subject is not informed of right to withdraw Employees are not notified of intra- group data transfers Consent is obtained by TOS

3 IT-TECHNICAL OBSTACLES Implementing GDPR requires implementing new IT-technical solutions and involving IT specialists on a daily basis; IT technical solution to comply with data portability requests (GDPR art. 20); IT technical solution for recording processing activities (GDPR art 30); IT technical solution to comply with data retention terms; IT technical solutions for complying with security of processing (GDPR art. 32) implementing security measures and encryption; IT technical solution to comply with „need-to-know“ basis access principle; IT technical solution for complying with data breach notification requirements