Personal Data Protection in BiH
Align your business with the new law
Professional consulting for compliance with the BiH Personal Data Protection Law — from GAP analysis to full implementation.
Our Services
Complete spectrum of GDPR services
From initial assessment to continuous monitoring — we cover all aspects of personal data protection.
Compliance GAP Analysis
Detailed assessment of your organization's current data protection status.
Privacy Policy Development
Creating complete personal data protection documentation.
Data Protection Impact Assessment (DPIA)
Risk assessment of data processing on individuals' rights and freedoms.
Employee Training & Education
Training programs to raise data protection awareness.
Incident Management
Establishing procedures for responding to data protection breaches.
External DPO (Data Protection Officer)
Professional external data protection officer service.
International Data Transfers
Compliance of personal data transfers outside BiH with legal requirements.
Technical Protection Measures
Encryption, MFA, firewall, SIEM monitoring and zero-trust architecture for data protection.
Service Packages
Choose the right package for your organization
Three service levels tailored to different needs and organization sizes.
Start Package
For organizations beginning their compliance journey
- Basic GAP analysis
- Privacy policy
- Processing activities register
- Consent forms
- Basic employee training
- + 1 more
Compliance Package
Complete solution for full compliance
- Detailed GAP analysis
- Complete documentation suite
- DPIA for key processes
- Incident response plan
- Training for all employees
- + 3 more
Advanced Package
For organizations with complex data processing
- Everything in Compliance package
- Advanced DPIA analysis
- International data transfers
- Legitimate interest assessment
- Advanced technical measures
- + 4 more
How compliant is your organization?
Answer 13 questions and discover the current state of data protection in your organization. Free and no obligations.
FAQ
Frequently Asked Questions
Everything you need to know about personal data protection and compliance in BiH.
What is the BiH Personal Data Protection Law and when does it take effect?
The BiH Personal Data Protection Law (Official Gazette BiH, No. 12/2025) is a new legal framework regulating the collection, processing, and protection of personal data in Bosnia and Herzegovina. The law is aligned with EU GDPR regulations and applies to all organizations processing personal data of BiH citizens.
Who is required to comply with this law?
All organizations that collect or process personal data — private companies, public institutions, non-profits, sole traders, and freelancers. Regardless of organization size, if you process personal data of employees, clients, or users, you are required to comply.
What is a GAP analysis and why do I need one?
A GAP analysis is an initial assessment that identifies differences between the current state of data protection in your organization and legal requirements. This is the first step toward compliance — without a GAP analysis, you cannot know which measures to take and how much work is needed for full compliance.
Do I need to have a Data Protection Officer (DPO)?
A DPO is mandatory for public authorities, organizations whose core activities involve regular and systematic monitoring of individuals on a large scale, and organizations processing special categories of data on a large scale. Even if not legally required, appointing a DPO is recommended practice. We offer external DPO services as a practical and cost-effective solution.
What is a DPIA and when is it required?
A DPIA (Data Protection Impact Assessment) is a mandatory risk analysis that must be conducted before initiating processing operations that may result in high risk to the rights and freedoms of individuals. This includes using new technologies, profiling, processing special categories of data, or systematic monitoring of publicly accessible areas.
What are the penalties for non-compliance?
The law provides for significant financial penalties for organizations that fail to meet their data protection obligations. Beyond financial penalties, organizations also face reputational risk, loss of client trust, and potential lawsuits from individuals whose rights have been violated.
How long does the compliance process take?
The duration depends on organization size, data processing complexity, and current compliance status. For smaller organizations, basic measures can be implemented in 4-6 weeks. For medium and larger organizations, full compliance may take 2-4 months. ProAct Consulting offers three packages tailored to different levels of need.
What documentation do I need for compliance?
At minimum, you need: a privacy policy, record of processing activities, procedures for exercising data subject rights, incident response plan, consent forms, data processing agreements with third parties, and internal data protection policies and procedures. ProAct Consulting creates complete documentation tailored to your organization.
Why ProAct Consulting
Trusted partner for data protection
Aligned with the BiH Personal Data Protection Law (Official Gazette BiH, No. 12/2025)