Personal Data Protection
Quality of the services for compliance with the new Regulation (EU) 2016/679 in the context of the emerging advisors riding the GDPR wave
The most significant reform in the field of personal data protection for the past few decades led to the adoption of Regulation (EU) 2016/679 (“GDPR”/“the Regulation”).
Quite logically, as the deadline for direct implementation of the GDPR provisions (25 May 2018) approached, there was a significant stirring and desire on the part of the business, as well as of all organisations falling within the scope of the Regulation, to avoid sanctions by taking the necessary steps to comply with the requirements and principles of the GDPR.
Just as naturally, with the heightened demand for expertise, new market players emerged, reinventing themselves as experts in the field of personal data protection.
On the other hand, the lack of the necessary level of awareness in our country, as well as at the EU level, has led to the misconception that until now there have been no regulations in the field of personal data protection. On the contrary, the subject of personal data protection is not new. At the EU level, it was regulated at the end of the 20th century with the adoption of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Just two years later, in 1997, the Penkov, Markov & Partners Law Firm set up a special working party to develop its expertise in the field of personal data protection. This has a logical explanation – our international clients are corporations with an international presence and an obligation to observe the highest common standard of protection of information, including personal data. They also expected their Bulgarian businesses, respectively their Bulgarian lawyers, to take legal and factual actions for protection of the information equivalent to those taken at the highest international level.
Here we should clarify that in Bulgaria the regulation of personal data protection dates back to 2001, and that, guided by our efforts to be of maximum help to our clients and business partners, we became direct participants in the process of adopting the legislation – first at national level and, subsequently and similarly, at European level. Our team followed the adoption of the new regulation from as early as draft level, and shortly after that, in 2016, it developed pilot training in the field of new developments in the GDPR.
For more than 2 years, the Personal Data Protection Working Party at Penkov, Markov & Partners Law Firm has been providing its clients with comprehensive legal and organisational services aimed at aligning the business processes in their organisations with the requirements of the GDPR. So far, our experts have held over 100 training courses and seminars on topics such as: “Personal Data Protection. Key concepts”; “Commission for Personal Data Protection – Powers and Need for Consultation”; “The New Developments introduced by Regulation (EU) 2016/679”; “Recommendations for aligning your business with the GDPR”. Of course, when providing opinions, recommendations and practical advice, the national legislation is also taken into account – currently, the Personal Data Protection Act and Ordinance No 1 of 30.01.2013.
Our international participation in events focused on the new developments and requirements of the GDPR are only part of the steps taken to improve and strengthen the high expertise of our professionals.
Recognition of our efforts is the trust we received and the formal partnerships we established in the field of personal data protection with international chambers of industry and commerce in Bulgaria, for example, with the German-Bulgarian Chamber of Industry and Commerce, the Bulgarian-Swiss Chamber of Commerce and the American Chamber of Commerce in Bulgaria.
In addition, the Penkov, Markov & Partners Law Firm is the first and probably still the only legal office in Bulgaria certified under ISO to provide comprehensive services in the field of personal data protection.
Recommendations and steps to ensure GDPR compliance
From the perspective of our experience, we believe that the first step towards GDPR compliance that should be undertaken by each controller and processor, regardless of whether individually or with external assistance, is a complete analysis of the business processes and the flows of information in the organisation.
The qualitative analysis begins with a comprehensive review, analysis and assessment of the existing documents and procedures governing the data processing procedures.
Following the completion of the so-called “audit”/“gap analysis” or inventory of the business procedures and information flows, the movement of each flow of information should be mapped from its entry into the company until its final destination.
Next and equally important is the training of the responsible employees, including, but not limited to the data protection officers in the companies concerned. Such training not only raises the awareness of responsible employees, but also ensures timely control and prevention of violations and protection against the risk of the organisation being fined.
The logical continuation of the activities is to update and/or prepare documentation in accordance with the requirements of the EU and Bulgarian law.
The completion of the above steps should ensure immediate compliance with the Regulation, however, due to the dynamics in the field, these activities should continue over time. Thus, the regular implementation of the appropriate procedures and monitoring the personal data processing is an example of both good prevention and pursuance of some of the obligations set out in the new Regulation.
The provision of legal advice, contracts and procedures concerning personal data protection is a simultaneous and continuous process that can help the affected persons at all times during the “life” of the personal data in the organisation.
The specifics of each individual business and organisation shall be taken into account when providing the above services. In this regard, we may require additional information in order to be able to offer specific advice for your business/organisation.
You can contact us for a GDPR consultation regarding your business and your personal data.