As of the 25th of May, this year, all activities related to the processing and storing of personal data in each organisation will be subject to a new regulation – GDPR.The requirements set in it are much stricter in relation to the data privacy with the level of sanctions being one of the main changes.Companies need to take a number of measures before the announced date to prepare for the requirements of the new regiment and align their business processes with the Regulation. The basic step is to identify the discrepancies between the current state of the organisation and the GDPR requirements or the so-called GAP analysis. Assoc. Prof. Dr. Daniela Ilieva-Koleva, the Executive director and Member of the Management Board of Law and Internet Foundation will elaborate on what a Gap analysis is and why it is needed.

Law and Internet Foundation is a Bulgarian NGO & Research centre. In this regard, the Foundation has implemented a number of international and national projects in the field of legal, technological, economic and social issues related to the rapid penetration of information and communication technologies both in the public and private sectors, including legal analysis and evaluation legislation, development of strategic documents and analysis of national policies. One of the main approaches used by the Foundation team is the GAP analysis. The portfolio of the organisation includes both public authorities and private companies that have trusted the experience and expertise of a team of specialists to get a preliminary assessment and guidance on aligning their systems and processes with existing or newly introduced standards and regulatory requirements.

1. The first step of the alignment of the processes of an organisation with new standards and legislative regulations is to perform an internal workflow analysis, better known as GAP analysis. What should such an analysis in the context of GDPR include?

The GAP analysis in the context of GDPR assesses the current level of compliance with the Regulation and helps in identifying and prioritising the key areas of work within the organisation. It is a good approach for companies to understand and detect the high-risk weak areas of their processes for personal data processing and to be sure that they are meeting the requirements of the Regulation and they will not be subject of the enormous fines. The GAP analysis is a complete project that starts with the so called “inventory” of the procedures for personal data processing that identifies all activities and processes for processing personal data and their real scope – such as the company's relationship with staff, contractors, customers, CCTV, and many others. Given the broad application of GPDR and in order to achieve the objectives of the project, the organisation under analysis should ensure the involvement of all internal units. That would mean that in various stages, the senior management, HR and IT departments, Sales, Marketing, Supply, Logistics (and all other relevant departments) have to participate.

The GAP analysis provides a structured overview of the main activities in processing personal data, taking into account processing risks and includes recommendations for undertaking specific measures to align the company’s activities with the requirements of the regulatory framework.

2. Once the analysis has been completed and expert advice has been received, what actions should be taken by the controller and / or the processor of personal data?

Upon completion of the GAP analysis, the company should act to comply with GDPR requirements. To comply with the requirements of transparency, documentation and accountability, it is necessary to revise, adapt and prepare certain internal documents so as to ensure the lawful processing of personal data in the structure of the organisation concerned. The concrete measures that the controllers and the processors of personal data should take are the maintenance of detailed records of all major processing activities under art. 30 of the Regulation, updating and drafting a privacy policy and / or confidentiality policy, settling controller – controller, controller – processor relations through contracts or annexes to contracts, developing procedures for collecting consents from data subjects, developing processes for the exercise of the rights of natural persons and, in certain cases, the appointment of a data protection officer.

3. Tell us more about the figure of the Data Protection Officer.

The Data Protection officer (DPO) is the basis of the GDPR requirements and his/her appointment is mandatory in the specific cases provided in Art. 37 of the Regulation.

The concept of the Data Protection Officer is not entirely new, as it is a position existing in other European countries such as Germany and recognised as useful for organisations in order to comply with the applicable data protection requirements. In Bulgaria, so far, there has been a legal possibility, but not an obligation to appoint a person for the protection of personal data.

However, the GDPR introduces completely new responsibilities of the DPO, which should perform a wide range of activities. Within the scope of the position, the task of performing the role of a contact point for the supervisor as well as for individuals on matters related to the processing of their personal data and the exercise of their rights is to inform and advise the controller of the duties, compliance with the requirements of the Regulation, report directly to the management of the organisation.

In general, this is the "person in charge of the data protection" that helps companies comply with the basic requirements of accountability, transparency and documentation.

4. The Regulation specifies two options for the DPO – to be a member of the staff or to be outsourced externally? What factors should be taken into account when deciding?

When appointing as a staff member, the companies should keep in mind that the DPO is an independent figure. In order to ensure its independence as well as direct co-operation with the management of the company, he / she should be assigned in a high hierarchical position. An especially important aspect is to monitor the occurrence of conflicts of interest in cases of job matching. A Human Resources Officer, an IT Officer, an internal legal adviser, or senior management staff directly involved in the processing of personal data and defining the purposes and means of processing cannot perform that job. In most cases, there is almost no office in the company that falls outside this scope. When hiring an employee, however, the organization should also provide a sufficient degree of workload for the person and his / her interchangeability in the event of his / her absence.

When choosing a DPO, what should be taken into account is not only his / her professional skills in the field of personal data protection but also his / her knowledge of the industry and his / her communicative qualities, which will help him / her to cooperate effectively with the supervisor, the subjects of data and with the company's management.

In the case of outsourcing, the company assigns the duties of a Data Protection Officer to a prepared team of experts to perform this role. This company commits to provide a quality service by assuming a duty of confidentiality and ensuring that such obligations are assumed by all its team members. This ensures more independence for the DPO, thereby reducing the risk of conflicts of interest. A conflict of interest in these cases would arise if the official was invited to represent the company in courts for personal data protection cases.

5. In the event of a violation and imposition of a fine to an organisation, to what extent is the DPO baring the responsibility?

First, we should say that the controller or the processor is responsible for complying with the requirements of the Regulation. The DPO is an independent expert advising the organisation to comply and implement accordingly the requirements and to maintain a constant high level of personal data protection. In order to avoid such situations, it would be useful for the officer to be largely involved and engaged in a large part of the processing and protection of personal data in order to advise and inform on potential risks in a timely manner. The DPO, however, does not take and should not make the decisions related to data processing. It provides independent advice and guidance that the administrator or the processor can comply with or not at their discretion.

However, in the event of a situation in which the Officer does not fulfil the obligations associated with his / her duties, his / her activity may be suspended or dismissed under the applicable contractual or labour law.

6. It is obvious that the "Data Protection Officer" has become a separate, brand new profession. What advice would you give to companies when choosing such person?

An accelerated recruitment for Data Protection Officers is currently underway. If companies have difficulties choosing a suitable staff member, as already mentioned, there is also an option for outsourcing. Many companies in Bulgaria already offer this service as part of their diverse portfolio, while others focus only on outsourcing data protection officers.

The choice remains in the hands of organisations, but the designation of such a person should be a well-thought-out and responsible decision.