PRACTICAL GUIDE: HOW TO START COMPLYING WITH THE PERSONAL DATA PROTECTION LAW IN YOUR BUSINESS

September 4, 2025

For nine weeks, we have explained what personal data are, the rights of data subjects, the responsibilities of controllers and processors, the role of the Data Protection Officer, and the fines and sanctions imposed by the Information and Privacy Agency (IPA).

This week, the tenth and concluding week of our series on personal data protection in the Republic of Kosovo, we provide a short and practical guide for businesses that are starting or already processing personal data.

This article summarizes the key steps every organization should consider, offering concrete advice to ensure compliance with the law and the protection of personal data subjects’ information.

Assess the current state of your data processing and management!

Start by conducting an inventory of the data you collect and process, and determine whether they include personal data, sensitive data, or data used for monitoring and advanced analyses.

This step is essential to understand the level of compliance with the Law and to identify the main risks.

Appoint or contract a responsible person for data protection, and, where required, engage a Data Protection Officer (DPO)!

Every organization should have a responsible person within its structure who monitors compliance with the Personal Data Protection Law. This person can be an internal employee or an external professional who ensures that data processing procedures are correctly followed, staff are trained, and processing records are regularly maintained.

If your activities involve sensitive or large-scale processing, or if you are a public institution, it is mandatory to appoint a DPO. The DPO serves as the main point for legal and technical advice and is responsible for communicating with the Information and Privacy Agency (IPA). Make sure the DPO’s appointment is notified to the IPA for transparency and effective operation.

Create and maintain processing records!

According to Article 39 of the Law on Personal Data Protection, every processing activity must be documented: purpose, data categories, recipients, retention periods, and security measures.

For businesses, it is useful to use a standard form for each activity, keep records in a central location, and update them regularly according to changes in processes or partners handling data.

Such practice helps demonstrate legal compliance, identify risks, and improve personal data management within the organization.

Develop internal policies and procedures!

Draft data protection policies, procedures for handling data subject requests, and breach management processes, ensuring that staff are informed and trained on these policies.

Conduct a data protection impact assessment!

When your activities process data that pose a high risk to individuals’ rights and freedoms, carry out a Data Protection Impact Assessment (DPIA).

For businesses, this means identifying risks, documenting the measures you take to minimize them, and preparing for any inspection or request from the IPA.

This step helps avoid serious breaches and demonstrates commitment to data protection.

Take appropriate security measures!

Implement technical and organizational measures to protect data: encryption, pseudonymization, access control, recovery procedures in case of incidents, and regular security system testing.

These measures minimize risks and demonstrate compliance with the Law on Personal Data Protection.

Create a plan for data breach incidents!

Develop procedures for notifying breaches, specifying how and when the IPA and, when necessary, the data subject will be informed.

Keep complete documentation of every incident to ensure traceability and accountability.

Monitor and continuously improve!

Regularly check compliance, improve processes, and train staff. This ensures data protection, minimizes risks, and builds a culture of privacy respect within the organization.

Consult with experts!

In cases of legal or technical uncertainty, seek assistance from a DPO, lawyers, or specialized consultants. Preventing mistakes is always easier and less costly than resolving breaches.

Not all of these measures may be necessary for your specific case. Starting with expert consultation allows you to avoid unnecessary expenses, prevent fines, and ensure that your operations comply with the Personal Data Protection Law in the most precise and efficient way.

Complying with the Personal Data Protection Law may seem challenging, but a structured approach makes it manageable. Every step you take not only minimizes legal risks but also strengthens trust with clients and business partners.

The first step is always the most important. Start now and build a reliable and sustainable data protection system.

Author: Valmir Haziraj