Estonian Data Protection Inspectorate advises to betimes prepare for the GDPR
In April, the Estonian Data Protection Inspectorate published its 2016 yearbook, in which it directed attention to the new general data protection regulation (GDPR). The GDPR already enters into force as early as May 25th of 2018.
The Data Protection Inspectorate brought out its recommendations, which would help processors assure that the GDPR requirements are met on time. The inspectorate emphasized the wholesome assessment of data protection, the possible need to appoint a data protection officer and the principle of data portability.
In case of appointing a data protection officer, the inspectorate stressed the need to guarantee the competence of the officer. The inspectorate cooperates with different occupational and entrepreneurial organisations to help provide competent officers.
The inspectorate brought out the need to ensure data portability and noted that companies, which foresee more requests from people to transfer their data to somewhere else, should revise how their info systems work.
The yearbook of Estonian Data Protection Inspectorate confirms, that it is essential to bring more attention to data protection issues, it is also explicitly shown by the practice. Whilst conducting data protection audits, it has appeared that often companies cannot see the data protection risks and therefore might leave the risks unmitigated. The GDPR however, stipulates very strict sanctions, which in case prescribed, may lead to bankruptcy.
To avoid the strict sanctions, it would be advised, to make sure whether company processes personal data and if so, is it done according to all the requirements. If necessary, competent specialists, with the ability to see data protection related issues and offer possible solutions, should be included in the assessment process to mitigate the risks.
It is also worth noting that the inspectorate is drafting a guideline regarding the GDPR. The date of completion of the guideline is unknown. However, it is good to know that the state authority, who vouches for ensuring data protection, tries to guarantee, that the implementation of the GDPR is made easier for the actual GDPR implementers with practical guidelines.