On February 10, 2024, the Personal Data Protection Service (PDPS) released recommendations to support compliance with the requirements related to security incidents set out in the New Law of Georgia on Personal Data Protection (the New Data Protection Act).

What are the main aspects of the recommendations?

The recommendations describe the steps that relevant responsible entities must take in the event of a data breach while also providing practical examples. Notably, the recommendations guide organizations on:

• taking effective measures to detect incidents by using, for example, technical mechanisms such as logs, data streaming, analytics, and/or other methods to detect activities;
• implementing an internal procedure to further respond to the incident after it is detected and define specific persons responsible for the response process;
• recording information related to data processing, including incidents, as required by Article 28 of the New Data Protection Act;
• how to inform the PDPS and the affected data subjects of the incident, as required under the New Data Protection Act;
• assessing the possible consequences caused by the incident to the rights of data subjects - in this regard, the recommendations further provide criteria for assessing the severity of violations of human rights and freedoms; and
• legal consequences of the failure to report an incident.

You can read the press release here and access the recommendations via a Facebook post here.