Lulzim Puka
IT Manager Unit center / Lead Auditor
Getting Your Business Ready For Data Privacy Legislation
Data is a valuable currency in this new world, the big tech companies like Google, Facebook, and Amazon are not selling any product but consumers are the ones being sold from those giants. And while Data Privacy Legislation does create challenges and pain for businesses, it also creates opportunities. In Albania, the businesses are still uncertain about what they need to do to be compliant with data privacy regulation. The Law No 9887 dated 10.03.2008 “On Protection of Personal Data“, amended by the Law No. 48/2012, date 26.04.2012, amended by the Law No.120/2014 has incorporated provisions of the General Data Protection Regulation GDPR and Information and Data Protection Commissioner IDP has issued some decisions to complete the implementation of the provisions of the Law. This institution, the Information and Data Protection Commissioner how has the responsible authority entitled to supervise and monitor the activities related to the protection of personal data and to guarantee the correct implementation of the Law.
How will Data Privacy Legislation impact businesses?
Data Privacy is likely to affect businesses in several ways because companies will be more accountable for how they handle individuals’ data. That why companies need to rethink how to market the services that offer and to guarantee they are not processing unnecessary data. According to GDPR, companies will have to pay 10 to 20 million euro or up to 4% of their worldwide annual turnover, whichever is higher. And in Albania, the fines administrative sanctions from the IDP can vary from 10 000 Leke up to 1000000 Leke for each case of data processing in contradiction with the provisions of this law. The maximum of the fine is doubled in cases of failure to comply when the data are processed without authorization pursuant. Besides the monetary loss after the compensation payout, companies might suffer great business losses due to the damaged reputation. The potential adverse impact for businesses that fail to comply with new requirements might be as severe as a bankruptcy. The steps that every company must do for complying with the GDPR requirements and to win transparency.
- Mapping the information flows.
- Prepare the personal data inventory.
- Define the purpose of use of personal data
GDPR overlap with ISO 27001
A privacy management system is different from an ISMS information security management system, but they are closely related. The approach that a privacy management system takes recognizes that information security (the preservation of the confidentiality, integrity, and availability of information) is a key aspect of effective privacy management and that the ISMS requirements documented in ISO 27001 can support adding sector-specific requirements onto the ISMS without the need for a new management system specification. ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.
Some similarities form the most the biggest and most significant data privacy regulation in 20 years.
Data Privacy requires a gap analysis that must cover the following process:
- Governance IT security/Data Protection
- IT Risk assessment process, PIA process
- Data protection subject
- Data Register
- Data protection officer
- The consent process
- The awareness process
- Personel data process and Data protection mapping
- Rights of data subjects/rights to forgotten
- Third-party processing personal data
- Information security management system (ISMS)
That why implementing High-Level Structure management system standard as ISO 27001 ISMS will help the businesses to ensure compliance with the data privacy
EN 
AL