GDPR - general data protection regulation
The GDPR (General Data Protection Regulation) enters into force on May 25, 2018. This statutory act is aimed at protecting personal data. It has a number of distinctions and may completely or partially affect the businesses in Ukraine that work with EU citizens.
The new legislation is replacing the Directive on the Protection of Individuals during the Processing of Personal Data and on the Free Movement of Data.
In this commentary, we will help your company to bring its activity in line with the new General Data Protection Regulation (GDPR)
Definitions and terms
GDPR defines the processing of personal data as an operation conducted with personal data automatically or in any other way, including acquisition, record, reception, verification, usage, disclosure, dissemination or any kind of publication, destruction, etc.
General Data Protection Regulation is a new procedure for processing the personal data. The innovation is that GDPR extends not only to EU countries, but also has an extraterritorial effect and applies to everyone who is under the legislation of the European Union. It applies in cases when the company processes personal data of people who are in the EU or when a Ukrainian company is formed in the EU or if it has a department there.
The terms of the GDPR should be defined to further understand who the subjects are:
A data controller is the entity that determines the purposes and means of the processing of personal data.
A data processor is a natural or legal person which processes personal data on behalf of the controller.
The personal data is any information that is related to an individual who can be identified with it.
The regulation is established only for data protection of those who are in Europe, so it can apply to Ukraine provided that it is fully acceded to the EU, or in case of processing the personal data of EU users. Moreover, if the services or goods of the company can potentially be used by European users (that is, the site in English, either the company ships its goods to the EU or processes their data), then such a company must comply the requirements of the GDPR.
The processing of personal data is considered legal only under the following conditions:
- entity who owns the data has agreed with the processing;
- such actions are necessary for the performance of the contract;
- the vital interests of the person are protected;
- processing is necessary to satisfy the needs and in the interests of society;
- processing is necessary for the purposes of the legally protected interests of the controller or a third party, especially if the entity is a child.
Prohibition of processing for a separate data group
In accordance with the regulation, it is prohibited to process any data that can directly or indirectly identify a person, such as biological or genetic code, color of skin, hair, eyes, size of shoes, clothing, physical and mental health, etc.
However, there are a number of the processing exceptions within the legislation. For instance, if this data is publicly disclosed by a person or he or she has given a separate consent to the processing of such data.
Actions in case of non-compliance with GDPR by one of the parties
In the event of failure to comply with the requirements, the following consequences should apply:
- a warning if the infringement was committed for the first time and mistakenly;
- investigation of the quality of data protection;
- imposition of a fine up to 10 million euros or up to 2% of annual global turnover of the company (for the previous year);
- imposition of a fine of up to 20 million, or 4% of annual global turnover of the enterprise, whichever is greater.
Information (Data) encryption
Thus, the Regulation recommends to provide proper protection of confidential information with the use of technical and organizational instruments such as encryption.
GDPR uses a term such as aliasing, which means changing or converting information in such a manner that in case of data breach, they do not allow to identify person fully or partially.
Data storage restrictions
One of the principles of GDPR is the principle of data storage restrictions - storage in a form that allows the identification of data subjects, only as long as it is necessary for the purpose of processing; confidential information can be stored for longer periods, until they are processed solely for the purpose of achieving public interest goals, scientific or historical research goals or mathematical objectives.
Data subject rights
- the right to be forgotten (also known as Data Erasure)
The data subject can notify you at any time that he or she wants you to erase all information about him/her and you will be obliged to do so. However, it should not affect the lawfulness of the processing of information, which was based on the withdrawal consent.
- the right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
- the right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.
- the right to access
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed and in which manner.
- the right to restriction of processing
Legislation of a Union or a Member State that applies to a controller or an operator may restrict the scope of his obligations and rights by means of legislative instrument.
Certification is voluntary, it does not reduce the extent of the responsibility of the controller or operator, does not restrict the tasks and powers of supervisory authorities.
Certification is issued to the controller or operator for a period of up to three years; it can be renewed under the same conditions if the relevant requirements are still complied with. If necessary, the certification shall be withdrawn by the certification bodies specified in Article 43 or by the supervisory authority in charge if certified controller or operator fails to meet the certification requirements or no longer complies with them.
Preparation for GDPR
3 elements of your company need to be in compliance with in order to prepare for the new Regulation rules:
Includes defined instructions for employees. It also includes the so-called "data card", that is, the order of collecting, processing, transferring, storing, deleting personal data. It should deal with and be accessible to employees as well as to users, because they need to know what will be with the provided data.
It is separated from the internal and external, but at the same time is connected with them.
Includes so-called "hardware" and "software" support. That is, the development of appropriate encryption algorithms, capabilities of site, servers, the creation of appropriate storage bases and services for the transferring, removing and processing the information.
Web-site UI design and structure
We have prepared 15 clear points for any company which has its own Internet resource in order to understand how a site should look like.
Verify the amount of data collection and ask yourself whether you really need the data? For instance, family status of a client, favorite sport, medical condition.
It is advisable to encrypt the data you are processing in order to facilitate the consequences of the possible loss of data in the future (see the paragraph about aliasing). There is also a special “end-to-end” procedure.
Be sure to enter HTTPs. It is an elementary kind of data encryption, which can also be decisive.
Refuse to accept the acquiescence - this means that there should not be entered an anticipatory consent.
Obtain consent partially (by parts). If you need an e-mail, then you need the user's consent only on e-mail. Other data like a phone number, location must be obtained by a separate agreement.
Be sure to state all the third parties that you are currently transferring data to or plan to do so in the future in the “consent form”.
Separate the “consent form” on processing data from other forms of consent. No more accumulation of plenty of text!
Make sure users see your “consent form” and do not search for it.
Allow users to “take” their consent back easily.
Avoid security matters that can be related to personal data. No more maiden names, your first cat’s name and so on. It is prohibited by the new Regulation.
By using any information concerned with an IP address, you are obliged to alert users about this and inform of the duration and manner of storing the information.
By using the “forms of payment” after making such payment, you must delete the requisites and all information related to it.
If you track user behavior on your site in order to make him the best propositions, you have to obtain an agreement on the following actions.
If the user refuses from usage - delete his data. User data is just his property.
Company preparation for the Regulation
To start with, you need to create a so-called "card" of personal data.
The "card" should state where the data is collected (authorization of accounts, collection and manual entry, automatic data acquisition on the Internet, etc.).
It should be clear by "card" where the data come, who interacts with them, how they are processed, by who and how they can be transmitted.
It should also be stated which information is collected and how long it will be processed, stored.
It should also be noted in which cases data are transferred to third parties.
Actions after analysis and risk assessment
It is necessary to find the necessary specialist, to develop instructions for workers on handling systems of storage and data processing, to conclude relevant contracts with partners on the processing of personal data.
In fact, it is very important to understand that in case of data loss by one of your partners, the data confidentiality will be violated and you will no longer comply with the requirements of the GDPR, because the chain of information transmission and its protection has been violated, id est there was a data leakage.
The purposes of the Regulation include upgrade of data "security" and data processing methods as well as improving the collection of such information. That is, there should no longer be any "acquiescence" or "consent to everything". An appropriate, specific agreement should be on all information entered by the person.
We consider that the important newness of the Regulation is the introduction of such concepts as controller, operator and data protection officer, who have to create conditions for technical and organizational support that will guarantee the compliance with data subject rights.
Having analyzed the introduction of the GDPR, we came to the conclusion that the Regulation would create a solid legal basis for the protection of personal data for EU citizens regardless of their place of stay, and consequently, such protection would have an impact on the world information security system.If we study the issue in relation to Ukraine and Ukrainian organizations, we can affirm that the introduction of the Regulation will undoubtedly provide stability, create a new platform and a favorable climate for conducting business related to the sphere of cooperation with foreign citizens.