(This content is a translation of the original article in Macedonian, published on the 7th of December 2022)
What are the challenges in the implementation and harmonization of the Law on personal data protection, the manner in which the controllers cope with challenges and what are the possibilities to preserve the privacy of personal data were the main issues covered by the panel discussion “Implementation of the Personal Data Protection Law: Good practices, challenges and future steps”, that took place on the second day of the conference “E-Society.mk: Cyber Resilience for Freedom and Security”, organized by the Metamorphosis Foundation.
According to Manuela Stanoevska – Stoilkovska from the Personal Data Protection Agency of North Macedonia, the Law on personal data protection was adopted in 2020, and the changes are in the data protection concept, expressed through the principle of accountibility and the manner of applying technical and organizational protection measures that will be developed after the risk-assessment.
Stanoevska- Stoilkovska said that the entire law insists that all protection measures should be planned and undertaken prior to handling personal data, as well as to ascertain and determine the legal aspects before applying the technical measures. In the experience of the Agency in the last three years of law enforcement, the number of controllers who issued notifications about the breaches in the security of personal data was small, even though the real number is ten times higher.
Vesna Radinovska (left), Manuela Stanoevska – Stoilkovska (right)
“If the controllers determined or if they were notified about a data security violation and they undertook measures to prevent it, that means that they have established a protection system and abide by the accountability principle”, Stanoevska – Stoilkovska explained.
She specified that since the adoption of the law, 13 rulebooks, two decisions and a harmonization methodology for harmonization of the controllers had been adopted, but also for representing the personal data protection rights of the citizens.
“Law enforcement should not be seen as a necessary evil and a way to avoid specified fine. Officers should not be treated as a cost, but the protection should be seen as an investment”, deemed Stanoevska – Stoilkovska.
Arben Gudachi from the Macedonian Young Lawyer’s Association stressed that quite often the civic organizations play the role of controllers of personal data protection. The implementation is a great challenge for smaller organizations, due to lack of staff, and resources for training or for employing officers.
“There is so much disinformation, for example, that every organization must have an officer and acts adopted. Law enforcement should not be reduced to what should be owned, and every time when a civil society organization is concerned, one should understand the surroundings in which it operates. Organizations should change the way they operate, otherwise it will mean nothing, even if they have an officer”, says Gudachi.
The perspectives of the private sector and how the Personal Data Protection Law affected companies was the topic of discussion of Emilija Angelovska, the representative of MASIT – ICT Chamber of Commerce. She believes that the law is good and that it could be adjusted to the operation of every company, instead of using current models and copying rules introduced by other companies.
“The data does not belong to the companies, but to natural persons, and when borrowed, that data must be protected as something that does not belong to the borrower. If we manage to apply that, we will be harmonized with the law successfully”, said Angelovska, emphasizing the fact that legal principles should be applied as operational standards of the companies, not as obligations.
According to Elena Stojanovska – personal data protection expert – building a privacy culture was a long and complex process that was also related to the mentality.
“We think about our privacy when we run into trouble. We should be changing our habits, behavior and mindset about privacy and which is the boundary of sharing our personal data”, Stojanovska said.
She deemed that training was the key in the personal data protection process and upholding the right to information that we enjoy by default.
In addition, the panel discussed the latest case of the Ministry of Labor and Social Policy with publishing the names of social welfare beneficiaries on its website.
According to the speakers, this case showed that the publication of personal data was still a legally approved obligation of the institutions, i.e., that many of the laws regulating the matter of publishing private information were not harmonized with the Personal Data Protection Law.