It has been almost 1.5 years since the General Data Protection Regulation (hereinafter GDPR) was implemented in the EU. Since then, there have been many improvements made in Estonia related to data processing and protection – from both the private sector and the public sector. As our previous article showcased how to start a company in Estonia and the benefits Estonian legislation offer, this article concentrates what are the main steps companies operating in Estonia must do to comply with the GDPR and local legislation. All examples have been compiled through our practice.

How the GDPR has affected the Estonian companies and the way Estonians have embraced it

From the beginning when the GDPR entered into force, there has been only 101 notice of infringement procedures started by the supervisory authority in Estonia. This low number of infringement procedures and taking into consideration, that there are already over 3500 data protection officers registered, shows how well Estonian companies have adapted the GDPR in their work environment. While new companies and start-ups have little knowledge of the required and necessary steps, they need to take to be compliant with the GDPR. Therefore, companies turn to us for advice.

Our practice and highlights working with clients on GDPR

We have found, that compiling a questionnaire for the client has been most successful when completing GDPR related documents. The questionnaire is compiled taking account the field and the structure of the company, the personal data they might process and the aim of the processes. When the client has answered all the submitted questions, we can assess the needs of our client in regards to the GDPR. Based on the questionnaire we compile a so-called data protection audit which highlights the concerning aspects. All shortages found turning the audit process shall be met with our high-level recommendations.

In our practice, the most requested documents are addressed to the public or to the supervisory authority. A privacy policy is well known for legal experts, but most entrepreneurs do not know what the privacy policy must contain and what constitutes as data protection by design and by default. The latter one being in combination with the transparency principle stated in the GDPR. The questionnaire mentioned earlier will help us to compile the records of processing activities, which is the main document the supervisory authority requests when conducting an investigation. Most entrepreneurs find it difficult and complex to compile, thus they turn to us for help. In most cases, we combine the processing records with data protection officers (hereinafter DPO) training. Thus, they see what these records hold and what must be kept up-to-date.

Furthermore, as mentioned earlier, we offer DPO training in combination with the processing records fulfilment. These training are directed to the companies’ DPO and highlight their obligations stemming from the GDPR. The combination has shown great results, as the DPO will have a precise overview of each of their company’s obligations. These meetings offer a direct and complex course, with the outcome of a sufficiently trained and capable DPO.

Of course, not all DPO training takes place only when the client needs a processing record. Additional DPO training takes place constantly, where we highlight changes in the law or new and improved methods concerning GDPR. We have seen, that a large room full of trainees will not have the intended end results. With the maximum capacity of six people, the training process has shown much better results as the DPO’s themselves can ask questions and pinpoint the difficult parts of GDPR obligations with which they struggle. Every training session has had a different outcome solely on the questions and direction the trainees wish to learn.

Impact assessments are another major obligation, that most of our client’s struggle with. Impact assessment can be seen as a SWOT analysis but directed to personal data processes and outcomes it has. In the case, where the client is required to carry out an impact assessment, a questionnaire is a great tool for an efficient and precise way to carry it out. We have developed our own method for impact assessment, which gives our client an overview, risk assessments and measures to further comply with the GDPR.

All in all, Estonian entrepreneurs have mostly embraced the requirements of GDPR, as they understand that consumers want to protect their privacy. The lack of infringement procedures started by the Estonian supervisory authority would be a great example of how companies value their own clients and their privacy. we pride ourselves on finding the best solutions, the quickest and most convenient ways, for our clients.

Article author is our lawyer Raiko Pajula