Key facts about the GDPR

About two months ago, it was the first time the maximum penalty for non-compliance with the European Regulation on Personal Data Protection (GDPR) was applied. It was Google that was fined and the fine made as much as 50 million Euros. At least, the watchdog from France represented by CNIL (the National Data Protection Commission) has shown that it will not let anyone break the laws. In this connection, the topic of GDPR compliance seems to be worth raising once again. Indeed, it is really important to comply with legislation, also the international one. And large fines are not the only reason for that.

What is the GDPR? Why should it be followed?

In May 2018, the GDPR, an updated set of rules for the data protection of individuals in the European Union, came into force. All companies offering of goods / services to data subjects in the European Union are required to comply with the regulation, and implementation of the law has a reasonable purpose: in the age of digital technologies, personal data of individuals need protection more than ever. However, a matter of concern to many is to what extent does the regulation apply (if at all) to Russian companies?

Over the last year, there have been published quite a few articles about the new EU law and the relation of Russian companies to it. You can easily summon the almighty Google to find the answer to your question. Nevertheless, the most appropriate approach to the study of any new law or regulation is to refer to its text. A rather user-friendly version of the text is provided by this unofficial website https://gdpr-info.eu/

You can study the full text of the law if you haven’t done it yet, but for now we’ll consider only what can be applied to a company from Russia. The most important in principle is in the first chapter. It quite profoundly explains who and to what extent the GDPR applies to and, as well as contains the definitions used in the law.

Article 3 states when the processing of personal data of data subjects who are in the Union applies to the regulation. These include offering (also for free) of goods or services to such data subjects in the European Union, or monitoring the behaviour of such data subjects, if these activities occur within the EU countries.

We can find out how the GDPR defines a data subject and personal data at the very beginning of Article 4.

«Personal data’ means any information relating to an identified or identifiable natural person («data subject») ; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.» Article 4 (1)

Here we can make an unambiguous conclusion: if your company sells goods / services to individuals located in the EU, or monitors their behavior (for example, using web analytics tools), then it certainly needs to become GDPR-compliant.

For a company that is not established in any of the EU countries, it will also be important to pay attention to Recital 24 of the Regulation. After reading it you have no doubt that a Russian company must indeed comply with the GDPR.

«The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behaviour of such data subjects in so far as their behaviour takes place within the Union.»

Which roughly means the following: even if your company is not physically located in the EU, but somehow processes the personal data of the individuals who are in the EU, the GDPR applies to you.

What actions should be taken to comply with the GDPR?

Since the purpose of the GDPR is to protect personal data, its key principles are seen as logical – lawfulness, fairness and transparency, data collection only for specified purposes, accuracy, data storage no longer than necessary, and, last but not least, security.

It is mandatory to obtain the consent of the data subject to process his personal data. Moreover, this concent should be clearly expressed, and should also be easily given by the user, as well as easily withdrawn. The user, giving their consent, must understand for what purpose their data will be used.

To bring the company in line with the GDPR, you have to firstly determine what kind of data you collect as well as what for and how you are going to use it in the future, whether you are going to store it or not, how you are going to erase it. You should refuse to collect redundant data, and also set the retention period no longer than necessary for each of the processing purposes.

The entire procedure of processing personal data should be communicated to the user as accurately and clearly as possible. A description of all the procedures and processing purposes can be included in the Privacy Policy of your company (you do have it, don’t you?), otherwise you can create a separate policy for personal data processing. This document is also to say that the user has the right to withdraw their consent subsequently and they have the right to demand the erasure of the provided data. And you need to specify precise storage periods for each purpose.

Naturally, all website policies should be conveniently located so that the data subject could easily access and read them at any time.

Also, cookies files deserve special attention. This is because they, like the IP address, can identify the user. So, from the GDPR perspective, such data should be considered personal. However, this is not about all cookies. The user can be identified only by the cookies used for analytics, advertising or functional services (for example, chat bots).

Most likely, your website is using one or several tools mentioned above, which means you need to take care of getting the user’s consent. In most cases, the “soft opt-in” model can be considered the best option: when a user first visits the website, they should be given an opportunity to make an action before the cookie collection starts. A warning as follows will suffice: “This website uses cookies. If you continue to browse the website, you consent our use of cookies.“

In the light of the GDPR, it is clear that email marketing, including sending newsletters or sharing some facts about the company, can only be made to those who wish to receive them.

Most often, user email addresses for newsletters are collected through a contact form. It’s exactly this form on your website that needs to be modified so as not to offend the Europeans and their data. Do not forget about the fundamentals of the GDPR – the consent of the personal data subject.

So, user consent must be obtained in the form of an explicit action of the data subject. It is important that the consent boxes should not be pre-ticked by default. By the way, among other claims, Google was fined exactly for pre-ticked concent boxes by default.

Don’t be like Google. Pre-ticked checkboxes shouldn’t be your choice.

So what should the contact form on the website look like? If you use client data only to clarify the details of a project or an order, you will most likely only need their name and phone number or email. All these data jointly are personal, therefore, obtaining consent to data processing is mandatory. You need to give the user the opportunity to tick the box with the text “I agree to the personal data processing,” as well as to familiarize themselves with the text of your company’s personal data processing policy.

If you plan to add the client’s email you received to your marketing mailings database, you need a separate check-box. The text might look like this: “I want to receive information and news from Sereneco.” Naturally, you cannot force the client to subscribe to your newsletter.