In order to comply with the principles, values and rules for the protection of personal data provided for in the new Law on the Protection of Personal Data (“Official Gazette of the Republic of North Macedonia” No. 42/20), the controller will have to take appropriate actions to improve, upgrading and adjusting its established system for the protection of personal data in accordance with this law.
In that context, the controller will have to perform an in-depth analysis of the existing established system for the protection of personal data in correlation with the provisions of the Law on the Protection of Personal Data that are applicable to the operations of collection, processing and storage of personal data.
When performing the in-depth analysis, the controller will also need to make an assessment that will cover the following issues in particular:
- catalog identification of all collections of personal data in relation to: processing purposes; categories of natural persons (subjects of personal data) and categories of personal data; the transfer of personal data to other countries; the stipulated terms for storage, i.e. deletion of the various categories of personal data,
- detecting the nature, scope, context and purposes of personal data processing, as well as risks of varying probability and severity for the rights and freedoms of natural persons (subjects of personal data) resulting from such processing,
- the position, role, rights, obligations and responsibilities of the personal data protection officer,
- the applicable technical and organizational measures and the need for their upgrading and improvement according to the measures provided for in the Law on Personal Data Protection,
- the documentation for the technical and organizational measures and its alignment according to the provisions of the Law on the Protection of Personal Data,
- the contractual norms for the protection of personal data with the processors (determination of the mutual rights and obligations of the controller and the processor), as well as their evaluation in terms of the existing application of the rules for the protection of personal data,
- the established training system for employees regarding the protection of personal data,
- the setting of the processes for informing about the rights of natural persons (subjects of personal data) and about the way of their realization, such as the right to: information, access, correction, deletion, restriction of processing, portability of data and objection,
- the processes of transferring personal data to other countries and the legal framework on the basis of which the transfer is carried out,
- the use of information infrastructure and software applications and the need for their upgrading and adjustment according to the standards and measures provided for in the Law on the Protection of Personal Data, especially from the aspect of the applicability of technical and integrated protection of personal data (privacy by design and privacy by default) ,
- the established system for periodic and internal control of personal data processing operations,
- profiling processes, as well as the legal and informational framework for those processes,
- the placement, role, obligations and responsibilities of management and employees in the existing system for the protection of personal data and the need for adjustment according to the rules provided for in the Law on the Protection of Personal Data (the principle of accountability).
After completing the in-depth analysis, the controller will have to adopt and apply an Action Plan with planned activities and measures by priority, as well as dynamics for achieving appropriate compliance with the provisions of the Law on Personal Data Protection.
After implementing the planned activities and measures from the Action Plan, the controller will have to continuously monitor and check the application of the harmonized system for the protection of personal data, as well as coordinate the activities and actions between the employees and the management in the function of maintaining the system. Within those frameworks, the personal data protection officer will have a key role in coordinating employees and management, communication between employees and management, their training, as well as monitoring and checking system compliance according to the Personal Data Protection Law.