May 25, the GDPR came into force. How does this affect you?
In 2016, the European Union decided to unify the standards in the protection of personal data. In addition, to strengthen the control of EU citizens over who, why and how to manage their personal data. And also, expand the list of what PD can be considered.
So there was the General Regulations on the protection of personal data, it is the General Data Protection Regulation (GDPR). It didn’t take effect immediately. The business was given two years to prepare for the implementation and compliance with the norms of the law. For example, change the company's internal policies, privacy policies and user agreements. It was also necessary to instruct staff on how to collect and store personal data legally and safely.
Who is at stake
The law distinguishes three categories of "victims".
The first includes organizations directly established in the EU and collecting personal data from Europeans. Everything is simple here. Companies based in the EU (regardless of where their office is actually located), collecting personal data of Commonwealth citizens, are required to comply with the GDPR. Which of the Ukrainians fell into this category? Those who established business in one of the countries of the European Union. I'm sure there are a lot of such people.
In the second category - organizations that sell goods and services to EU citizens. Business may not be established in the EU, but serve European citizens. For sure, among readers there are many who own, say, an online store. If the client is an EU citizen, your company must comply with the GDPR. This also includes online services that accept as payment for the euro, support one of the official languages of the European Union or have the domain of a member state of the EU.
The third category is organizations that monitor the behavior of EU citizens. These are data centers that study preferences for the selection of potential buyers.
So, if your business is:
- launches targeted ads;
- sells goods and services to EU citizens;
- Accepts payment in euros;
- monitors preferences of potential buyers from the EU;
- registered in one of the jurisdictions of the European Union.
In all these cases, your direct duty is to comply with the GDPR.
How it works
For citizens, this means greater protection of their personal data. For online platforms - increased responsibility for the illegal processing of data or the lack of consent of citizens to such processing.
Consent in this case is the very tick that the user places when he gives permission to process the data. There is one "but": a general consensus is now not enough. From now on, the platform owner must obtain the consent of the person for each purpose of data collection and processing. If a person changes his mind - he has the right to withdraw such consent. In this case, its data must be removed from the system. The GDPR also establishes the person's right to request information about who, for what purpose, for how long and how his personal data collects.
Another GDPR introduced a new subject of protection PD - the so-called data processors. Previously, only data controllers were covered by the law, that is, organizations that dispose of what data and for what can be collected. This is the owners of online sites, and data centers, and organizations involved in the collection and analysis of information.
Now, not only management, but technical specialists, who directly collect and store APs, will be held accountable for violation of the law. In other words, these are business employees - IT department, accounting department, personnel department, etc. That is why it is important not only to instruct workers, but also to make sure that the data they collect is processed legally and reliably.
We are sure you've heard of the scandal surrounding Cambridge Analytica. This private British company was engaged in collecting data of users, analyzing them and transmitting them for use in election companies. Their data was illegally collected (that is, without their consent) and used for the election campaign of Donald Trump. In other words, Cambridge Analytica analyzed the behavior and preferences of citizens and identified potential voters of the US president.
Facebook asked Cambridge Analytica to remove the information. Ignoring the requirement (or rather, lied about the deletion), the company, along with Facebook, which allowed the placement of such a test on its platform, violated the law and the rights to protect personal data. Subsequently, Mark Zuckerberg reported to both Chambers of the American Parliament and the European
Parliament, promising to tighten the rules for collecting user data.
The example shows how important it is for foreign online sites to comply with EU law. In fact, the world's largest social network has become a victim of its own negligence. Now you should not allow such an error.
The new law is fraught with sanctions and provides for two categories of fines.
For violation of the basic principles of the international transfer of personal data, orders of national regulators of EU member states, a fine of 20 million euros or 4% of the company's global turnover is provided. Unfortunately, this means that the violator will pay that amount, which in the end will be more.
For more "minor" violations - sanctions are easier. Namely, 10 million euros or 2% of the global turnover. To pay it is necessary, for example, for non-receipt of the consent of children for processing PD (such consent for persons younger than 13 years is given by parents), failure to take measures to protect data or unassignment of the so-called DPO in the EU. Data protection officer is an EU citizen who must represent your organization in the European Union and be a link between business and EU supervisory bodies. His appointment is an obligatory condition of the law.
Your Ardas Team
Interested in this expertise?
Get in touch with us and let's discuss your case. We will gladly share our knowledge and experience with you and find the most suitable option for you.