How to comply with new rules of the GDPR

Will the General Data Protection Regulation affect business in the Russian Federation?

The GDPR — General Data Protection Regulation — will come into force in the European Union fr om May 25, 2018. Companies that deal with processing of personal information of EU citizens within any of the 28 EU countries and beyond the EU will have to comply with the requirements of the document. This regulation will replace the existing laws on protection of personal data in the European Union.

Russian companies established and operating within the European Union also fall within the requirements of the document, since the rules of the GDPR will be applied extraterritorially, and now they should already carry out the procedure of data processing in accordance with the new rules. The scope of work depends on certain company's business processes and can be quite significant.

On the requirements of the GDPR and the consequences of non-compliance with them

New General Data Protection Regulation (GDPR) introduces a number of changes to the rules governing the protection of personal data, including certain duties:

New law includes such duties:

• consideration of rules for protection of personal information at the planning stage;
• documentation of processing procedures;
• assessment of risks that may affect privacy;
• sending notifications of incidents that have affected the security of personal data to the competent supervisory authorities.

In case of non-observance of the rules, the supervisory authority in the field of personal data protection may impose a fine in the amount of up to EUR 20,000,000 or up to 4% of the annual turnover of an enterprise. 

What should Russian companies do

The procedure for Russian companies depends on the field of activity, its organization, the architecture of IT systems and other nuances. Perhaps, a company will need to upd ate the policy and obtain permission to transfer data, implement new principles for their protection, and conduct an audit. Implementation of incident management procedures related to data protection may also be required, taking into account the deadlines se t by the European Union for reporting to the competent authorities.

To begin with, it is necessary to assess the level of confidentiality and analyze the risks, as well as to identify and create a personal data card in order to be ready for the entry into force of new GDPR requirements. Next, it is necessary to standardize management and processing, as well as develop standards for confidentiality and security management. The principles of the GDPR must be familiar to the staff of a company. Compliance with the rules should be monitored continuously.

Moreover, companies engaged in activities subject to the regulation should evaluate their processes and compliance with the Russian Personal Data Law in force since 2006.

GDPR and the Yarovaya Law

Entered into force in 2016, two draft laws aimed at protecting Russian citizens from terrorism require Russian operators of communication networks (cellular operators and Internet providers) to record and store records of messages between all users for at least six months, as well as provide these data to the authorities at their request. Also, these provisions expand the powers of Russian law enforcement officers in relation to data monitoring.

Since the Yarovaya law does not provide for exceptions with regard to data relating to foreign citizens, personal information of EU citizens visiting Russia or residing in Russia can become part of the stored messages, will be stored in Russia and provided to the Russian authorities without the consent of the relevant data subjects. Such use and disclosure of information contradicts the provisions of new rules of the GDPR, since they provide for enhanced protection of EU citizens in the processing of personal data and free movement of these data outside the EU to third countries, including Russia, wh ere adequate measures to protect this data are not available.