Data protection

My experience in privacy and data protection in Lithuania spans two decades. From 1998 onwards I am practicing in this field, I am also privacy educator and researcher. It is noteworthy that the Law on Legal Protection of Personal Data regulates personal data protection in Lithuania since 1996.

My experience covers basic data protection issues – the preparation of enterprise data protection documents, the drafting of consent forms, contracts, communication with supervisory authorities –   and highly complex issues, such as company group-level data protection, data loss incidents, etc.

The processing and protection of personal data is an essential part of the effective modern business and is a part of the broader information/knowledge management process in the company. An effective organization is the one, which:

  • Actively manages data, information and knowledge.
  • Pursues paperless management, convenient and simple processes;
  • Maintains rational and proportional security.

Personal data processed by companies or organizations are generally related to employees, consumers, customers or patients. Some of these data are very personal and intimate personal data – referred to as the sensitive personal data in the law. Personal data is an asset for the company and is essential for the business success. Thus, ensuring the data security and respecting the privacy of individuals is a vital part of the business. Data may be lost due to willful externalities, internal negligence or just by accident. In order to avoid this, it is essential to know what data and how is processed, and to implement pertinent security measures. Companies or organizations must take care of their clients’ rights and interests.

The General Data Protection Regulation (GDPR), which enters into force on May 25, 2018, expands the data protection obligations of the companies:

  • Most businesses will have to carry out data protection impact assessments;
  • All businesses will need to maintain a comprehensive personal data processing documentation (Personal Data Processing Rules, sufficient now, will not be enough);
  • Most businesses will have to appoint the Data Protection Officer;
  • Businesses will have to immediately inform the Data Protection Authority, and in some cases also the data subjects, about data incidents;
  • Businesses will have to review the existing consents of the data subjects (clients, users, employees, etc.) and ensure new rights of data subjects.

The personal data protection contributes to corporate reputation and trust in the business. Poor data protection practices lead to loss of reputation, customers and revenue.

Businesses that fail to protect personal data and fail to comply with statutory obligations face legal liabilities, high administrative penalties, as well as claims for compensation for civil damages.

As a general rule, a business shall carry out personal data protection audit (data protection impact assessment) at least once a year, or every time when new IT solutions are implemented. Based on the results of the audit, the appropriate data protection hard and soft tools, proper documentation and employee training may be implemented.

These responsibilities are provided in the current legislation and made obligatory in the General Data Protection Regulation.

Many businesses do not know where to start, i.e. how to perform personal data protection audit, how to choose data protection measures, which procedures to follow and what documentation to make.

Data Protection Lead: Prof. Dr. Mindaugas Kiškis

Knowledge Management, Paperless Organization and Information Security Lead: Dr. Austė Kiškienė