PROTECTION OF PERSONAL DATA

On 28 May 2018, the European Union's General Data Protection Regulation (Regulation) will be applied in Lithuania. Let's start to prepare now!

Everylaw team recommends to

companies handling the data of

employees, customers or others

individuals, to implement

the preparation for the

implementation of the

provisions of the Regulation

in the following steps:

WHAT DO YOU HAVE TO DO

PERFORMED AUDIT OF THE LEGAL PERSONAL DATA

PROCESSING IN THE COMPANY

The following steps are required to determine:

  • what personal data is stored in the company;

  • where data is received and for whom it is to be transmitted;

  • what individuals can access personal data in the company; 

  • does the current processing of personal data comply with the provisions of the Regulation?

  • what further procedures and actions must be taken to ensure that the company's processing of personal data does not conflict with the 

requirements of the Regulation.

Applies to all businesses that handle personal data

REDUCED SPECIFIC RISKS AND PREPARED ACTION PLAN FOR OPTIMIZING DATA PROTECTION  

A specific plan will help to smoothly and timely prepare for implementation of the requirements set out in the Regulation in the company.

Applies to all businesses that handle personal data

LEGAL ASSESSMENT / CORRECTION OF DATA PROCESSING RULES AND APPROVALS FOR DATA PROCESSING HAS BEEN COMPLETED IN THE COMPANY 

The rules and forms of consent that have been drawn up beforehand after the entry into force of the Regulation must be reviewed and adapted in accordance with the provisions of the Regulation governing the content of such rules and agreements. In the event that such rules, consent forms in the company are not prepared and approved, it is necessary to prepare them.

Applies to all businesses that handle personal data

THE LIST OF DATA PROCESSORS AND CONTRACTS WITH OTHERS HAS BEEN REVIEWED  

The Regulation imposes stricter requirements on data processors who provide services to the company (such as accounting, IT) and who have access to personal data processed by the company.

Applies to businesses whose personal data is managed by third parties (such as service providers)

THE PROCEDURE FOR ASSESSMENT OF EFFECTIVE DATA PROTECTION AND ADVISORY CONSULTATIONS WITH THE SUPERVISORY AUTHORITY HAS BEEN ESTABLISHED  

When it is found that such persons may be at high risk in the processing of personal data, prior to the commencement of processing operations,

an impact assessment on data protection will have to be carried out. In order for this to be done smoothly, the company should adopt rules for assessing the impact of data protection, which would, among other things, regulate the cases in which the assessment should be carried out, what needs to be investigated, the conditions under which the procedure of prior consultation with the Data Protection Supervising Authority has to be carried out.

Applies to companies that intend to implement new tools that could affect the processing of personal data

DATA PROTECTION SUPERVISOR HAS BEEN APPOINTED  

The regulation states that the obligation to appoint a data protection supervisor is imposed to those enterprises whose:

1. The main activity is data processing operations, during which it regularly and systematically monitors data subjects on a large scale;

2. The main business of the company is the management of special categories of data (race, sexual orientation, genetic data, etc.) on a large scale.

Applies to companies that meet the requirements set out in the regulation: regarding the scope of handled data, the organization of data processing, processes special personal data.

DATA SECURITY INFRINGEMENT PROCEDURE HAS BEEN APPROVED  

The regulation requires companies to prepare themselves for potential data breaches.

Applies to all businesses that handle personal data

PREPAREDNESS FOR THE IMPLEMENTATION OF DATA ENTITIES RIGHTS HAS BEEN CARRIED OUT  

The Regulation provides data subjects with rights such as:

  •    obtain information on processed personal data;

  •    transfer personal data;

  •    be forgotten;

  •    etc.

the smooth implementation of which must be ensured by the organization through organizational and technical measures.

Applies to all businesses that handle personal data

INNOVATIONS HAVE BEEN INTRODUCED TO THE PERSONNEL AND THEY HAVE BEEN TRAINED  

It is very important that not only the company manager or administration knows the new requirements, but also the employees of the company working with personal data have to be familiarized with them.

Applies to all businesses that handle personal data

IT SPECIALISTS HAVE TO IMPLEMENT TECHNICAL AND ORGANIZATIONAL MEANS OF PERSONAL DATA PROCESSING  

The regulation does not only require proper legal procedures, orders and rules, but the implementation of the principles and requirements set out in the regulation is not really feasible without the help of IT professionals competent to create personal data processing systems, encrypt personal data, secure computer systems, network security and continuous care.

Applies to all businesses that handle personal data

  • LinkedIn - White Circle
  • Facebook - White Circle