Time is running low: GDPR is on its way
Published on March 27, 2018

by Anastasiya Kazakova
CEO Projects Coordinator
Coming into effect May 25, 2018, this European Union law on personal data protection is a game changer for local and transnational enterprises.
Non-compliance in the area of personal data protection shall be punished with a fine of up to 20 million euros or four percent of the company's global revenue, whichever is greater (the size of penalty is left to the discretion of the court in each individual case). In addition, each EU country is authorized to introduce additional sanctions. Germany, for one, has already ratified a more drastic penal measure – a prison sentence of up to three years; in Austria, the prison sentence is up to a year. Coupled with risks of reputational damage and having to pay potential damages to individuals, the new regulation substantially changes the way businesses must process and protect personal data.
How does it concern business?
The GDPR is unprecedented because all companies (both within the EU and outside it) that process the personal data of EU citizens or any individuals located in the EU, regardless of their nationality and place of residence, will have to comply with it.
Let us try to figure out how the new law concerns businesses. We will focus on two crucial points:
- the scope of GDPR application;
- the definition of "personal data" and its "processing."
As for the first point, the GDPR applies:
#1 |
to all companies that render services to EU citizens and process their personal data, regardless of where the company is registered, whether it has a presence in the EU, or where the processing occurs. Example: an EU citizen in Athens buys books online from the US ebay.com |
#2 |
to EU legal entities processing the personal data of their employees who work outside the EU. The DHL company (Germany) processes the data of its Moscow office employees. |
#3 |
when a user is located in the EU (including non-EU citizens) and his or her personal data is processed in the EU as well. A Georgian citizen rents a car in Spain from a local supplier. |
#4 |
when a user is located in the EU (including non-EU citizens) and his or her personal data is processed remotely by a company that does not have a EU presence but offers goods and services to EU-based users. A Russian citizen logs on to his Vkontakte account from Paris. |
#5 |
to state institutions and agencies, with the exception of cases when personal data is processed as part of a state security or public order protection operation. Migration service officers in one of the 27 EU countries process the personal data of European citizens for the issuance of passports. |
The GDPR significantly broadens the concept of "personal data" to include any information that can help identify the user directly or indirectly (name, usernames, emails, and even Internet cookies!). Moreover, a special subcategory has been defined – sensitive personal data, which includes biometric data, information on race, ethnicity, religious beliefs, philosophical convictions, appurtenance to trade unions or other non-profit organizations, and the person's health and sexual orientation. The processing of such data will be regulated by even stricter rules.
At the same time, personal data processing is comprised of a wide range of operations (both automatic and manual). The list includes, but is not limited to data collection, recording, managing, structuring, storage, adaptation or alteration, extraction, use, disclosure by transfer to a third party, distribution, removal, and deletion.
What obligations does the law stipulate?
The problem with the GDPR is that it does not only specify new organizational measures, but often requires profound changes of IT infrastructure. You can read more about it further below.
Organizational measures:
|
Legal requirements |
1 |
Personal data may be processed on a number of conditions. One of them is unambiguous, explicitly expressed consent of the user. Requesting the user's consent, the controller shall clearly state the purpose of data processing and inform the user of his or her right to withdraw consent at any time or to demand that the controller delete the data (the newly-added "right to be forgotten"). |
2 |
Controllers shall render the stages of personal data processing transparent: according to the GDPR, companies are obliged to provide information on data processing and its transfer to third parties at the request of the users or authorized agencies. Moreover, personal data must be presented in a structured format for easy copying ("the right to data portability"). |
3 |
Companies (if their core activities require regular and systematic monitoring of the data subjects on a large scale, or if they process sensitive data) shall appoint a Data Protection Officer (DPO) – a competent employee whose responsibilities include ensuring compliance with the requirements of the law, interpreting its clauses, and offering timely legal guidance. A DPO can cover legal compliance either within one state or within the entire EU. In the event of a data leakage, collectors shall notify the relevant authority and/or the user, within 72 hours. At the company's request, the DPO informs it about the current requirements of the law and offers consulting on legal compliance. At the same time, the company itself shall be held fully responsible for personal data protection, regardless of the DPO's consultations. If the DPO provides misleading information, the company may start a legal action and demand that the DPO compensate the losses. However, the company shall bear full responsibility for violations of the GDPR. |
Technical measures:
The GDPR obliges companies to increase data processing security and to introduce special data protection policies that are based on two principles, Privacy by Design and Privacy by Default. That is, companies have to incorporate data protection mechanisms in their IT infrastructures.
For example, the law points out the necessity of:
- pseudonymization and encryption of personal data;
- engagement of mechanisms to ensure confidentiality, integrity, availability, and resilience of data processing systems;
- safeguards to ensure the ability of the systems to restore access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regular testing, assessment, and evaluation of effectiveness of technical and organizational measures for ensuring the security of personal data processing.
It goes without saying that the authors of the GDPR have been motivated by beneficial goals in their ambition to achieve the highest possible level of personal data protection. However, from the practical point of view, the implementation of all the legal requirements poses many questions: new organizational and technical measures are costly and time-consuming; as a result, many companies, especially start-ups and SMBs, may have difficulty with compliance and implementation.
In essence, users will not feel much difference: according to the new law, their personal data will be recategorized and companies will have to request an explicit confirmation of the user's age before asking him or her to sign personal data processing agreements. Users will have to express their consent explicitly by checking a box and the scope of submitted statistics will have to correlate with the purposes that have initially been approved by the user.
Time is running low: GDPR is on its way
Kaspersky