With the advances in emerging and converging technologies, the European Union is developing a policy to support information security and protect the rights of individuals with respect to their personal data processing. In 2016, a key legislative act on the protection of personal data of citizens and consumers was adopted, namely Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal (General Data Protection Regulation, better known as GDPR).
GDPR introduces a number of new obligations for data controllers and data processors and is directly applicable in the Member States from 25 May 2018 on. The Regulation is based on the risks that personal data processing may create, thus establishing a stricter regime towards lawful processing. Part of the new responsibilities include: maintaining records of data processing activities, assessing the impact of the organization’s activities on the rights and freedoms of natural persons, notifying the competent supervisory authorities in case of a data breach not later than 72 hours after having become aware of it, etc.
In accordance with the principle of accountability, the data controllers/processors must be able to demonstrate that they process the data in compliance with the GDPR requirements. Otherwise, they are subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher; taking also into account national specifics regarding the imposition of sanctions and fines.
Investing in compliance measures with data protection legislation requirements is not just an administrative obligation. One of the obligations imposed by GDPR is related to demonstrating compliance with the provisions for lawful processing of personal data, including down the way on the supplier-intermediary-customer chain. As of May 25, 2018, it is the counterparty right to require from the organizations, through contractual clauses, responsibility for processing of personal data with respect to the services/products offered. Individuals, whose data is being processed, also are able to exercise more effectively an extended range of rights in relation to organizations’ activities and the services they provide. Therefore, the development of an adequate Data Protection Program should not only be seen as a normative burden based on avoiding heavy financial or reputational losses, but also as a strategic measure to provide a competitive service on the market.
In response to these needs, the LIBRe Foundation team combines legal, analytical and technical expertise with knowledge and long-standing experience in implementing the principles and specifics of personal data protection, in order to bring operational processes in compliance with these new requirements. In line with the data protection philosophy, we apply a risk assessment approach integrating effective measures towards addressing or minimizing these risks and ensure lawfulness of processing in every step of the way.
We offer the following services:
- Development and implementation of a Data Protection Program
- Personal Data Protection Training
- Data Protection Officer as a Service
- Drafting a Code of Conduct under Art. 40 of Regulation 2016/679
More information about the data protection services we have provided can be found at:
Consultations aimed at private legal entities and individual experts
Consultations aimed at non-for-profit legal entities
Framework Initiative for e-Justice Development in Bulgaria and Framework Initiative for e-Government Development in Bulgaria - for consultations aimed at public organizations and judicial authorities
Framework Initiative for Personal Data Protection in the Healthcare Sector in Bulgaria - specific services aimed at healthcare representatives.
For an individual offer or clarification with respect to the services offered, please contact LIBRe Foundation team directly.
Development and implementation of a Data Protection Program
The scope of services towards the development of a Data Protection Program for natural and legal persons processing personal data, with the exception of the activities listed in Art. 2.2 of the General Data Protection Regulation - regardless of the scope of services, field of activity, number of employees, financial turnover and/or number of years on the market; includes:
Initial analysis of the organization’s problems and processing risks and development of an Action plan.
This task involves conducting a kick-off meeting with the management team of the organization – subject to compliance and presenting the main steps towards an effective Data Protection Program and their specifics.
As a result, an Action plan compiling all essential tasks is established followed by appointing а single point of contact on behalf of the client organization. The Action plan includes all interim deadlines (for both parties), including response time in case of questions or specific communication needs, as well as all potentially critical points of the Data Protection Program development.
Data mapping and analysis of data flows.
This task aims at gathering information about the business processes within the client’s organization towards bringing its activities and the activities of its employees in compliance with the Bulgarian and European personal data protection legislation and preparing the internal procedures and documents in accordance with the legal requirements for lawful processing to reduce, counteract or completely eliminate the risks associated with such processing. It includes legal and organizational analyses of the nature, scope, context and purposes of processing personal data by reviewing internal documents and information and providing expert evaluation of: (a) categories of data subjects; (b) categories of personal data processed; (c) processing purposes, including through the organization's technology portfolio and its interrelation with the volumes of information and personal data handled by the organization; and (d) means of processing (description of data repositories, data flows, processes and actors involved, etc.), including internal data flows and interconnections between the client organization and third parties, main establishment, storage limitations, the positions in the organization handling the data or recipients to whom the personal data have been disclosed.
The implementation of this task can be supplemented by a technological audit depending on the activities and capabilities of the client organization.
As a result of this task’s implementation, LIBRe Foundation’s team prepares a report on the analysis carried out, including visualizing the data and/or describing it in a record of processing activities.
The results of this analysis will be at the disposal of the client’s organization to help them obtain detailed information and expert evaluation on: the value of the information at its disposal; the legal, ethical and economic risks to the information security and, in particular, the personal data processed by the organization; and the necessity to undertake specific technical, organizational and legal measures to improve the security of information and the personal data processed by the organization, including evaluating the need to appoint a Data Protection Officer.
Data Protection Impact Assessment (DPIA) – a process of risk assessment of the identified inconsistencies. It is designed to describe the processing activities in a systematic and functional way, assess the needs and the respective proportionality levels, and help manage the risks to the rights and freedoms of individuals arising from the processing of personal data by analyzing and determining the proper measures towards resolving these risks. DPIA is an important tool for the accountability preparedness of the data controller, as it helps not only to comply with the requirements of the General Data Protection Regulation but also to demonstrate that appropriate data protection measures have been taken.
As a result, LIBRe Foundation’s team provides an assessment report, which includes: (a) a list of potential GDPR non-compliances, indicating the most serious risks to be addressed as a matter of priority; (b) a risk assessment plan covering both risks to the rights and freedoms of data subjects (e.g., discrimination, disproportional interference with the right to privacy etc.) and risks to the security of processing, which includes: a description of the objectives of the risk assessment; identifying the appropriate risk assessment methodology; and a description of the risk assessment procedure to be followed; and (c) evaluation of the risks and recommendations for specific mitigation measures, the results of which are documented in the report.
The expert assessment of the organization's activity will provide specific recommendations for organizational and technological measures, incl. security measures to overcome identified risks to the security of the processing.
Development of internal rules and procedures through which the organization will operate in accordance with the applicable legal norms and principles for lawful personal data processing. It goes under two sub-stages: a) development of a Data Protection Program implementation plan taking into account the specifics of the organization and its activities, which may require the preparation of additional documents and/or procedures; and (b) drafting of the respective documentation required for the management of the Plan.
During the development of the required documentation, we help the client organization to develop a record of processing activities, policies and terms of use for services provided by electronic means, internal instructions and procedures, data breach policy, internal control procedures, data protection impact assessment policy and procedures, action guidelines and procedures for guaranteeing data subjects to exercise their rights, including the right to be forgotten, the right to data portability, etc.
In addition, we develop templates for contracts or contractual clauses for transfers of personal data to non-EU countries and/or redraft ongoing or develop new subcontracting contracts for imposing the data protection obligations to data processors working for/with the client organization. This way the client organization will align its partner relationships with the requirements for lawful personal data processing while, at the same time, guaranteeing the optimal protection of the rights of individuals whose data have been processed.
Personal Data Protection Training
LIBRe Foundation team organizes in-house/sector-oriented trainings on personal data protection with a focus on the basic principles of lawful processing, the organization's obligations as a data controller/data processor of personal data, the framework for compliance with Regulation 2016/679, and introducing the necessary technological and organizational measures to achieve this compliance.
The aim of a training is to
(a) help the participants to understand the different categories of personal data processed by their organizations, and how internal data flows and interconnections between their organizations and third parties affect the rights of their customers, clients and partners;
(b) explain what organizational, legal and technical measures the organization has to undertake towards protecting the personal data they process by the organization and how this affects the work of their employees and the communication with counterparties; and
(c) provide detailed information on how to achieve compliance with GDPR.
Data Protection Officer as a Service
For more information, please visit Data Protection Officer as a Service page.
Drafting a Code of Conduct under Art. 40 of Regulation 2016/679
According to Art. 40 of Regulation 2016/679, Member States, supervisors, the European Data Protection Supervisor and the EC encourage the development of codes of conduct designed to contribute to the correct implementation of the Regulation, taking into account the specificities of the different data processing sectors and the specific needs of micro-enterprises, small and medium-sized enterprises. Adherence by a controller/processor of personal data to an approved code of conduct or an approved certification mechanism may be used as evidence to demonstrate compliance with the relevant legal obligations.
Associations or other bodies representing categories of controllers or processors of personal data are encouraged to draw up codes of conduct within the framework of Regulation 2016/679 in order to facilitate its effective implementation, taking into account the specificities of data processing in certain sectors and the specific needs of enterprises in these areas. In particular, these codes of conduct can establish the parameters of the duties of controllers and the processors, taking into account the risk that is likely to arise from the processing of data on the rights and freedoms of individuals.