Viacheslav Ustimenko – LAWBOOT Lawyers and Consulting, CEO
What is GDPR (General Data Protection Regulation)?
Two years ago the European Union decided to admit the new law on personal data protection of their citizens.
The GDPR – is the new European regulation on personal data protection with extra-territory validity, applying to all the companies around the world that process the personal data of the European citizens.
The personal data – is any kind of information, relating to the private person, using which we can identify the person.
It may include the name, location data, on-line identifier or some of the factors of physiological, genetic, economic, cultural or social identity (Art. 4 GDPR).
There are two sides of this Law:
🔹 Data Controller – the person, who collects data and decides whose personal data will be processed and how.
🔹 Data Processor – the person, who does not collect data, but processes them on behalf of the Controller.
The Law comes into force on May 25, 2018. For not adhering it, the fine amounts to 20 million Euro or 4% of the annual company profit.
SECTION B2B: contragents may refuse to cooperate with you;
SECTION B2C: the risk of losing trust from EU citizens.
The company should adhere the following requirements:
all the rights of the data subject (in this article it means only the private people from the EU, or the companies registered in the EU):
to know all his personal information, that is used by the company;
to delete this information;
the right to be forgotten;
the right to data portability;
agreement on data processing;
collection, storing and exploitation only of the necessary data.
How one can know about the GDPR violation?
- A complaint;
- inspections by local authorities.
GDPR compliance – is the whole complex, it is not clear whether it is law or technical requirement, in other words, it is the law-technical compliance. The lawyer of the company, according to his obligations, should:
hold audit inspection, create data flow and risk register;
give recommendations to the technical department;
develop the documents for the site and consent forms;
revise all the contracts, include the clauses about GDPR compliance;
track all the alternations, investigate local regulations.
💡 The list of the “must have” documents for the Data Controller to upload on a web-site:
- Controllers’ data protection policy – a completely new document of 2018;
- Controllers’ privacy notice – a short document telling the customer about your work;
- Contracts with any data processors;
- Data Breach Notifications templates;
- Payment Policy (in case you have any payments);
- Data Retention Policy (if the data is stored);
- International data transfers Policy (if the data is transferred);
- Consent Forms and Checkboxes;
- the buttons Delete Account, Restrict Processing Mode (the user information ceases to be public), Export Personal Data.
The list of the “must have” documents for the Data Processor to upload on a web-site:
- Data protection policy;
- Contracts with any data controllers or sub-processors;
- Data Breach Notifications templates (addressing a data subject, a controller, a regulator).
Appointment of a Chief Data Officer is required by this Law, in case a Controller or a Processor is not registered within the EU (Art. 27 GDPR).
After fulfillment of all the requirements, within 72 hours you should be able to detect, to report and to investigate the Data Breach.