“Strashilka” about GDPR

In May 2018, the updated rules for the processing of personal data established by the General Data Protection Regulation ( EU Regulation 2016/679 of April 27, 2016 or the GDPR - General Data Protection Regulation) come into force in Europe.

All companies that process (both inside and outside the EU) the personal data of citizens of European countries are required to comply with the requirements of this document. The scope of the new rules for GDPR applies to all 28 EU countries. This document will replace existing personal data protection laws in European countries. Given the fact that the new rules of GDPR will be applied extraterritorially, their compliance will be mandatory for Russian companies with a presence in the EU. That is, for any Russian business that collects and processes personal data of at least one citizen of an EU member state.

According to Alexander Bodrik, a certified specialist in managing information security of corporate and cloud landscapes, the GDPR contains a significant number of requirements, for example, only ensuring the portability of all personal data (data portability) can result in billions of dollars of expenditures across the country. It would seem that Russian business has an alternative - it’s just not to offer EU citizens its services in Russia, but at least two classes of Russian companies will exactly fall under the GPDR:
')

• energy and financial giants with offices in Europe;
• Internet companies, since GPDR extends to monitoring the activity of EU citizens, which means that the banal use of cookies by advertising networks is already bringing the Internet industry of Russia to GDPR.

To understand the significance of the GDPR-risk, Alexander conducts a rough assessment of the potential losses for the ten largest companies in the Russian economy that are likely to fall under the GDPR: Yandex (Internet company), Alfa Bank (investment banking assets in Europe), Gazprom (Gas stations in Eastern Europe), Sberbank (Sberbank Europe bank holding), VTB (banks in Eastern Europe), Lukoil (assets in Eastern Europe), Rosneft (assets in Europe), Russian Railways (representative office in Europe and online ticket sales), Aeroflot (representative office in Europe and online ticket sales s), InterRAO (assets in Europe). According to the RBC 500 rating, their total revenue reached 20.145 trillion. rubles, respectively, their total GDPR risk amounts to 806 billion rubles.

“The GDPR rules will specifically affect those who work in one way or another with the countries of Europe. These are financial companies, technology, media and telecom companies, pharmaceutical, transport, online stores, ”said Timur Aitov, deputy general director of the Software Product Group and deputy chairman of the subcommittee on payments and information security of the RF CCI.

“For example, the“ Plato ”system, in which about 2 million personal accounts are registered, immediately falls under the GDPR. Those who intend to provide their goods and services in the countries of the European Economic Area will also be in the focus: they use European languages ​​to describe them, conduct significant (aggressive) marketing in the EEA, monitor the behavior of Europeans, analyze it to prepare forecasts and identify preferences etc."

GDPR text and official clarifications

• The official text in 24 European languages ​​is in English, but there is no Russian ( link )
• Short Description ( reference )
• Questions and Answers ( link )
• Infographics / brief description from European Commission ( link )
• EU data protection authorities ( link )
• European Data Protection Supervisor ( link )
• List of countries providing an adequate level of data protection ( link )

For a detailed study of this issue, we recommend that you familiarize yourself with the document " Analysis of the possible consequences and the impact of the General Data Protection Regulation (GDPR) of the European Union on the business of Russian personal data operators (telecommunications companies, Internet companies) providing services via the Internet for persons in EU countries in context of current and effective regulations in the Russian Federation "from the Institute for Internet Research. An important feature is the opportunity to study the document in the original source, but with the translation into Russian, which was done by D.Yu.N., Professor of the Diplomatic Academy of the Ministry of Foreign Affairs of the Russian Federation, Head of the Department of Private International Law M. B. Kasenova.

There is also a statement from Roskomnadzor, I will quote:

“The Advisory Council under the Authorized Body for the Protection of the Rights of Personal Data Subjects in 2018 plans to submit proposals on the legal status of“ impersonal ”data, as well as on possible adjustment of personal data legislation in the context of the implementation of the Digital Economy program.

The relevant decisions were taken by the Council at the last meeting in 2017, held in Roskomnadzor.

During the meeting, the members of the Advisory Board discussed the new requirements of the European Union, enshrined in the General Data Protection Regulation (GDPR), which establishes the procedure for processing personal data. In November, at the VIII International Conference “Personal Data Protection”, the head of Roskomnadzor, Alexander Zharov, noted that the requirements of the European Union Personal Data Protection Regulations would not apply to Russian operators operating in Russia, since the Russian Federation is not a party to international treaties with the EU . They are subject only to Russian laws in this area in accordance with generally accepted international principles for the processing of personal data. ”

GDPR requirements and consequences of non-compliance

The new Pan-European Personal Data Regulation (General Data Protection Regulation) introduces a number of changes to the rules governing the protection of personal data, including some responsibilities:

• consider the rules for the protection of personal data at the planning stage (for example, IT solutions);
• to document the processing of personal data;
• to assess the risks associated with ensuring privacy;
• notify supervisors in the field of personal data protection of incidents related to ensuring the security of personal data.

The general approach to the processing of personal data is formulated in the form of 6 basic principles:

1. Legality, justice and transparency. Personal data must be processed legally, fairly and transparently. Any information about the purposes, methods and amounts of personal data processing should be stated as accessible and simple as possible.
2. Restriction of purpose. Data must be collected and used exclusively for the purposes stated by the company (online service).
3. Minimization of data. You may not collect personal data in a larger volume than is necessary for processing purposes.
4. Accuracy. Personal data that is inaccurate must be deleted or corrected (at the request of the user).
5. Storage Restriction. Personal data should be stored in a form that allows you to identify data subjects for a period not exceeding that necessary for processing purposes.
6. Integrity and confidentiality. When processing user data, companies are obliged to ensure the protection of personal data from unauthorized or unlawful processing, destruction and damage.

Failure to comply with the requirements of the new regulation of the GDPR may result in the imposition of a fine in the amount of € 20 million, or up to 4% of the company's annual turnover in the area of ​​personal data protection by the supervisory authority.

Penalty may not apply. It must be effective, proportionate and admonishing, may be imposed in addition to or in place of other measures.

The requirements of the current Russian legislation, in the context of possible conflicts with the rules of the GDPR Regulations

It seems that it is premature to analyze the possible conflicts between the regulatory requirements of the current Russian legislation and the rules of the GDPR. This is primarily due to the fact that it is supposed to adopt a number of explanatory and policy documents on the application of the Regulation of the GDPR by the WP29 Working Group. Secondly, despite the direct effect of the GDPR Regulation in the EU member states, the member states are obliged to “transform” national law to the requirements of the GDPR Regulation, including “transitional provisions”. Third, after May 2018, a national law enforcement (judicial, administrative) practice will begin to take shape. In addition, because The GDPR rules will be directly applied by the European Court of Justice, after May 2018 the practice of the Justice Court will also begin to take shape.

In the current Russian legislation in the regulation of relations in the field of personal data, the Federal Act “On Personal Data” No. 152- dated July 27, 2006, as amended, Federal Law No. 242- 2015 (hereinafter “Federal Law on Personal Data "). In this regard, it is advisable to pay attention to the fact that the Regulation of the GDPR and the Federal Law of the Russian Federation on personal data have different effects in space, in a circle of persons, and in time.

Generally, it can be said that the GDPR Regulation and the Russian legislation governing the sphere of personal data have an independent territorial and “jurisdictional” scope of application; at the same time, a certain commonality of regulatory approaches does not give grounds to conclude regarding their “harmonization”.

In practical terms, for Russian companies whose activities are related to the sphere of personal data targeted at users in the European Union and having contractual obligations with counterparties of the European Union, this means “double encumbrance”.

What approach should be chosen according to experts?

Since the formation of the practice of aligning the processing and storage of personal data according to the requirements of the GDPR is at an initial stage, we recommend resolving issues of compliance with the requirements of Russian legislation in the field of PD processing and storage (152- and 242-). According to the laws of the Russian Federation, it is allowed to attract a person who is responsible for processing PDs on behalf of the operator. The European legislator also separates the concepts of a data controller (data controller) and a data processor (data processor). Therefore, according to the GDPR, the cloud, where personal data is also stored , will be the data processor, and the PD operator will be the controller.

If everything is done in the field of personal data protection for 152- and 242-, you should begin the process of adapting to the standards of GDPR.

“For a start, it is helpful for the CIO to write a colorful“ scary story ”and send it to management,” recommends Aitov. Adaptation to the standards of GDPR is a huge and long-term work, which will fall on IT services, information security, corporate lawyers.

Europeans do not intend to retreat from the control over the standards of GDPR, and huge fines appeared by chance. The situation in the world is not simple: occasions on the part of the GDPR can also be used to "punish" large domestic business representatives - no one has canceled competition. However, trouble can arise for a company of any size.

Useful links and sources:
https://internetinstitute.ru
rkn.gov.ru
https://www.pwc.ru
https://habrahabr.ru