Data protection obligation

What Obligates Companies Under the "Law on Personal Data Protection"?

In today’s world, where technological advancement is accelerating rapidly, the protection of personal data is becoming an increasingly relevant issue. In response to this challenge, on 14 June 2023, the Parliament of Georgia adopted the updated Law on Personal Data Protection, which obliges data processors to ensure data security in accordance with the procedures established by law.

What Does the Personal Data Protection Law Say About Data Security?

To ensure the security of personal data, technical and organizational measures must be taken during data processing that adequately protect the data — including from unauthorized or unlawful processing, as well as from accidental loss, destruction, or damage.

What Does This Mean in Practice?

A data processor must take specific steps, including:

🔐 Encryption and password protection – when processing data in electronic form.

🔍 Access control – data should only be accessible to individuals who require such access for their job functions.

🧾 Logging and monitoring – documenting who processed the data, when, and for what purpose.

📄 Development of internal policies – a formal security policy must exist in written form, be communicated to employees, and be effectively enforced.

🧠 Employee training – security cannot exist without proper knowledge and awareness.

A Risk-Based Approach

Article 27 of the law emphasizes that data security measures must be selected based on the nature, scope, context, and purposes of the processing, and – importantly – must take into account the level of risk posed by potential data breaches.

In other words, the more sensitive the data and the higher the risk of its exposure, the stricter the protective mechanisms must be.

Conclusion

To ensure compliance with the law and avoid serious financial or reputational consequences resulting from violations, it is essential to fully meet the standards set by the data protection legislation. And it all starts with a well-defined and properly implemented data protection policy, which forms the fundamental basis of a sound data protection standard.

If you would like more information about the legal requirements, feel free to contact us or subscribe to our page.