Personal Data Protection (GDPR) Assessment

Data controllers and processors, i.e. organizations that carry out personal data processing operations, must comply with the requirements of the General Data Protection Regulation (GDPR) in order to maintain the fundamental rights and freedoms of natural persons, in particular their right to the protection of personal data.

To comply with the requirements of the GDPR, organizations must first assess what data, for what purposes, to what extent, on what legal basis it is processed, how long it is stored, from what sources it is obtained, and to whom it is provided. The audit of the processes related to the protection of personal data (according to the requirements of the GDPR) allows establishing whether the data processing operations endanger the rights and freedoms of data subjects and the principles provided by the GDAR (lawfulness, fairness and transparency, purpose limitation, data reduction, accuracy, retention limits, integrity and confidentiality, and accountability).

To properly implement technical and organizational measures, organizations should also assess the adequacy of personal data security measures after performing a risk assessment and compliance assessment in accordance with the State Data Protection Inspectorate (SDPI) guidelines, information and cyber security requirements established in the legislation of the Republic of Lithuania, ISO 27001 and 27002 requirements.

Organizations must not only ensure compliance with GDAR requirements, but also be able to demonstrate this, so it is important to have proper documentation. Infringements of the GDPR may result in administrative fines of up to 2 – 4%. the total annual worldwide turnover of the preceding financial year, or up to EUR 10 000 000 to EUR 20 000 000.

• We gather evidence and information
• We evaluate the internal legislation that helps to implement the requirements of the GDAR
• We prepare a data map, check and update data activity records as needed
• We analyze and evaluate the processes by which personal data is processed and managed
• We evaluate the implementation of the GDAR principles and the guarantee of the rights and freedoms of data subjects
• We perform an adequacy assessment of the implemented organizational and technical measures
• We perform a risk assessment and, if necessary, a data protection impact assessment
• We prepare recommendations for elimination of non-conformities and risks and for risk management

• Internal legislation assessed and discrepancies identified. Internal legislation governing the protection of personal data in the organization has been assessed and discrepancies identified
• Data map prepared. The processed data assigned to the respective data and activity category have been identified
• Checked and updated data activity records. Existing records of data activities have been assessed and, if necessary, updated with detailed descriptions of the processing of personal data
• Evaluated data processing and management processes. How personal data is processed is analyzed and their processing processes are evaluated
• A legal assessment of the implementation of the GDAR principles and the guarantee of individual rights and freedoms has been performed. The goals and bases of personal data processing have been established, and the implementation of the GDAR principles has been translated
• The compliance of the implemented organizational and technical measures was assessed. Compliance with the guidelines of the State Data Protection Inspectorate has been assessed. A compliance assessment report has been prepared, which details the non-compliances identified during the compliance assessment with the requirements set out in the guidelines of the State Data Protection Inspectorate and recommendations for the elimination of the identified non-compliances. According to the need, compliance with the information and cyber security requirements established in the legal acts of the Republic of Lithuania was assessed. A compliance assessment report has been prepared, which details the non-compliances identified during the compliance assessment with the requirements of the legal acts of the Republic of Lithuania and recommendations for the elimination of the identified non-compliances. Compliance with ISO 27001 and ISO 27002 requirements was assessed as required. An ISO 27001 and ISO 27002 compliance assessment report has been prepared, which details the non-compliances identified during the compliance assessment, ISO 27001 and ISO 27002, and recommendations for correcting the identified non-compliances.
• Risk assessment performed. A risk register and a risk assessment report with a risk management plan have been prepared
• A plan of measures for elimination of non-compliance and risk management has been prepared

Benefits

• Processes of personal data processing and their lawfulness have been established
• Adequacy of organizational and technical measures and compliance with GDPR requirements were assessed
• The data protection impact assessment has been carried out
• Risk identified and assessed
• A plan of measures for the elimination of non-compliances and risk management has been prepared
• The rights and freedoms of data subjects are guaranteed
• Compliance with GDPR requirements is ensured

• A Compliance Assessment Project Has Been Implemented in the State Tax Inspectorate
• A Compliance Assessment Services for Government Information Resources and Communications and Information Systems Managed and Managed
• National Health Insurance Fund User Identity and Rights Management and User Registration and Control System Implementation Project
• Independent Electronic Health Services and Collaboration Infrastructure Information System (ESPBI IS) Security Audit Project of SE Center of Registers