In April, the European Parliament adopted the norms of the General Data Protection Regulation (GDPR). Companies doing business in the EU countries and processing personal data of their citizens must meet the relevant requirements by May 25, 2018. The requirements have been agreed upon by all 28 EU countries, which means that companies must comply with unified standards within the EU that are exceptionally high, and most companies will need significant investments in implementing the necessary measures. (Also applies to many Russian companies, which may even be unaware of it; for example, the domestic online store can be the “operator” of customer data visited his EU citizen and therefore should properly handle, store and protect them -. Note Ed.)
The GDPR contains 99 articles that define the requirements and rights granted to EU citizens, the operations and the structure of regulations and penalties. The most significant impact on the business will have several articles.
ARTICLE 5. PROCESSING AND STORAGE OF PERSONAL DATA
All personal data must be processed transparently, in accordance with applicable laws and for the purposes determined by their owners. Data can be stored “in a form that allows them to identify their subject no longer than is necessary for the purposes in which personal data is processed.” All personal data must be processed in accordance with the requirements for security and protection against unauthorized access, loss, and damage, using the appropriate technical and organizational means. These funds are not regulated, but if the data is lost or stolen, the company can be accused of non-compliance with regulatory requirements.
ARTICLES 6, 7, 8. CONSENT
The processing of personal data must be carried out in accordance with the requirements of legislation; each individual must consent to the use of his personal data. The collected data should be needed to perform tasks or transactions initiated by the individual. The exception is made by the requests of the state authorities.
ARTICLE 15. THE RIGHT OF ACCESS
Citizens of the countries of the European Union have the right to know what personal data the company stores and how they are used.
ARTICLE 17. RIGHT TO PROTECT AND DESTROY THE DATA
Citizens of the countries of the European Union have the right to demand the termination of the processing and removal of their personal data upon the first request.
ARTICLE 20. THE RIGHT TO TRANSFER THE DATA
Citizens of the countries of the European Union have the right to transfer their personal data from one company to another on request.
ARTICLES 25, 32. PROTECTION OF DATA
Companies must provide citizens of the countries of the European Union with a reasonable level of data protection and confidentiality.
ARTICLE 35. EVALUATION OF EXPOSURE
Companies should assess the impact of data protection in order to identify risks for citizens of the countries of the European Union. The assessment should indicate how the company intends to manage these risks.
ARTICLES 37, 38, 39. RESPONSIBLE FOR PROTECTION OF DATA
In some companies, it is necessary to establish the position of a data protection officer who will monitor the implementation of the security strategy and compliance with the GDPR. Responsible should be appointed if the company processes or stores large amounts of data on EU citizens, processes or stores special personal data, regularly monitors data subjects or refers to public authorities.
ARTICLE 83. PENALTY SANCTIONS
A company may be fined € 20 million or 4% of the global annual turnover, whichever is greater.
