1. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
GEORGIA
Digital
transformation

2. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
LEPL Digital Governance Agency Ministry of Justice of Georgia
LEPL Public Service Development Agency Ministry of Justice of Georgia
Personal Data Protection Service of Georgia
SERVICE DESIGN AND DELIVERY IN A DIGITAL AGE
Academies for EaP countries
Digital
transformation
Georgia
2

3. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
PAR Strategy 2023-2026
PAR
2023-2026 6 Goals 9 Impact Indicators 13 Objectives 28 Outcome Indicators
3

4. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. The LEPL Digital Governance Agency (DGA)
 Digital governance development (state policy on digital
governance)
 Establishment of new e-services based on e-
governance
 Support and coordination of the development of IT
systems (unified state policy)
 MY.GOV.GE
 Establishment of the Georgian Government Gateway
(G3) integrated data exchange infrastructure and
ensure access to information resources
 Ensuring information and cybersecurity security (CII in
private sector)
 CERT.DGA.GOV.GE
4

5. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Trust & Security
2018 Adopted Law on electronic document
and electronic trust service (eIDAS );
Smart ID
Ensuring information security and cybersecurity
(CII in private sector);
National CERT - CERT.DGA.GOV.GE
5

6. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Legal framework & standards
• Once only principle, digital by default, e-delivery
• IT project management framework
• Interoperability framework
• Web accessibility standard
• EU acquis
6

7. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Competence Taxonomy
7

8. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. PSDA’s Mission
8
Public Service Development Agency (PSDA)
functioning under the Ministry of Justice
was founded in July 2012
Supporting Georgia’s ongoing reforms
Fostering creativity and innovation in public services
Assisting public entities to improve the delivery of public services
Updating the population database

9. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Main Directions of PSDA
Apostille and Legalization
Citizenship and Migration
Innovative Service Lab
Civil acts and registration
Qualified Trust Services
PSDA
Civil Registry
Service Development
9

10. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Main Activities
Public Administration Reform (PAR)
“Public Service Development Strategy 2022-2025” with its Action
Plan 2022-2023
Improvement of public services countrywide through introducing
unified standards in service design, delivery, quality assurance
and costing
10

11. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. State of play in Georgia
 Qualified Trust Services
Time Stamp
Time Stamp
E-Seal
eSeal
E-Signature
eSignature
Legislative basis
• Electronic Documents and Electronic Trust Services
law (In force since 2018) is based on eIDAS principles
• GDPR principles are not yet fully reflected in existing
legislation. Newly drafted law aims to adopt GDPR
principles
Trust services
• CAB: Any CAB accredited in EU under eIDAS
• QTSP and Root CA: Public Service Development Agency
• eSignatures, eSeals, time stamps (QTSP: Public Service
Development Agency)
Common use cases
• Online public services (i.e. My.gov.ge)
• Public Procurement
• Public Servants’ Declaration
• Municipal services (ms.gov.ge)
• Etc.
International compatibility and
interoperability
• Completed audit by accredited CAB under eIDAS on
ETSI/CEN standards
• Conducted a self-assessment with EU MRA Cookbook,
aiming to prepare for mutual recognition with EU
• EU4Digital - Completed technical compatibility of
eSignature
11

12. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. State of play in Georgia
-
100,000
200,000
300,000
400,000
500,000
600,000
2021 year 2022 year
Issued Qualified eSignature Certificates
-
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
2021 year 2022 year
Time Stamp Transactions
-
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
180,000,000
2021 year 2022 year
Online Certificate Status Protocol (OCSP)
5,263,779
1,029,413
eSignature Certificates
Overall Issued Active
12

13. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Challenges and future plans
Challenges Future Plans
Full compliance with eIDAS 2.0
Implementation of Public Service
Development Strategy 2022-2025
Lack of Digital literacy
eWallet
SmartID
eDelivery
Etc.
13

14. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
> Monitoring lawfulness of personal data processing
Reviewing of citizens’ applications regarding the personal data
protection;
Examination of the lawfulness of data processing (inspection);
Consulting on issues concerning data protection;
Providing information on important events to the public and
increasing its awareness.
> Monitoring covert investigative actions and activities
performed within the central databank of electronic
communications identification data
14
Mandate of Personal Data Protection Service of Georgia
Inspection
The Public Sector Oversight
Department
The Law Enforcement Sector
Oversight Department
The Private Sector Oversight
Department
The Department of the
Planned Inspections

15. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
15

16. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
16

17. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
> Law of Georgia on Personal Data Protection – the so-called “umbrella legislation”, applying
to all sectors.
> The draft law redefines the legal issues of personal data protection and establishes the
following legal novelties, such as:
Personal data breach notification to the PDPS;
Legal institutions of a Data Protection Officer (DPO);
Mechanism of a Data Protection Impact Assessment (DPIA), etc.
17
Legal Framework

18. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
Article 4: Principles of Data Processing
The following principles must be observed during data processing:
a) data must be processed fairly and lawfully, without impinging on the dignity of a data subject;
b) data may be processed only for specific, clearly defined and legitimate purposes. Further
processing of data for purposes that are incompatible with the original purpose shall be inadmissible;
c) data may be processed only to the extent necessary to achieve the respective legitimate purpose.
The data must be adequate and proportionate to the purpose for which they are processed;
d) data must be valid and accurate, and must be updated, if necessary. Data that are collected
without legal grounds and irrelevant to the processing purpose must be blocked, deleted or
destroyed;
e) data may be kept only for the period necessary to achieve the purpose of data processing. After
the purpose of data processing is achieved, the data must be locked, deleted or destroyed, or stored
in a form that excludes identification of a person, unless otherwise determined by Law.
18
Law of Georgia on Personal Data Protection

19. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
Article 17 – Data security
1. A data controller shall be obliged to take appropriate organisational and technical measures to
ensure protection of data against accidental or unlawful destruction, alteration, disclosure, collection
or any other form of unlawful use, and accidental or unlawful loss.
2. A data controller shall be obliged to ensure registration of all operations performed in relation to
electronic data. When processing non-electronic data, a data controller shall be obliged to register all
operations with respect to disclosure and/or alteration of data.
3. Measures taken to ensure data security must be adequate to the risks related to processing of
data.
4. Any employee of a data controller and of a data processor, who is involved in processing of data,
shall be obliged to stay within the scope of powers granted to him/her. In addition, he/she shall be
obliged to protect data secrecy, including after his/her term of office terminates.
5. The data security measures shall be defined by the legislation of Georgia.
19
Law of Georgia on Personal Data Protection

20. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
Article 46 – Failure to comply with data security requirements
1. Failure to comply with data protection requirements established by this Law shall result in a
warning or a fine of GEL 500.
2. The same act committed by a person who has had an administrative penalty imposed in the course
of one year for the violation under paragraph 1 of this article shall result in a fine of GEL 2 000.
20
Law of Georgia on Personal Data Protection

21. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
> Confidentiality obligations for employees.
> Introducing internal regulations related to data security and
monitoring their implementation.
> Limiting access to data, defining access levels and
monitoring access.
> Technical measures are mainly considered to protect
personal data in computers and networks.
> Technical measures include physical and informational
security.
21
Data Security

22. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
> Data processors should record the facts of data access and periodically monitor the legality of
access;
> Data processors, should implement a relevant policy document in the course of their activities,
which will reflect the rules and conditions of data processing;
> If data processing rules are violated, organizations should take appropriate measures in order to
prevent illegal data processing in the future;
> Processors should determine the specific legal purpose of data processing, in order to establish
adequate data processing date and to take appropriate measures for data destruction or
depersonalization after the expiry of that date;
> The obligation of the authorized person to protect data security and monitoring issues shall be
regulated by a written agreement and/or a relevant legal act.
22
Recommendations on Data Security

23. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
THANK YOU
23