Operating under the GDPR: case study, or how to avoid a fine of € 20 million

Expanding at the international level gives business real opportunities for growth, increasing capitalization and attracting new solvent customers. However, the global market has a lot of ‘pitfalls’ and requirements of regulators, without following which you can not only lose your profits, but also miss the boat and get multi-million fines.

Today we will talk about the main European innovation of recent years, namely the GDPR (General Data Protection Regulation), and how to work with it not at a loss.

GDPR: what is it?

The GDPR or, the General Data Protection Regulation was adopted within the European Union last year, and entered into force in May 2018. The document is designed to protect the end user of the Internet from excessive use by corporations of personal data, their tracking the history of visits to sites, etc.

As you can see, the authors of the document pursue good goals, because none of us likes our every action to be tracked, kept in the middle of nowhere and used to chase us with spam. Now, without the consent of users and notifying customers of the type of data received, no one can use personal information about EU residents.

However, in practice it turned out to be a serious obstacle for business, since modern advertising targeting systems, social networks and even search engines cannot show the target audience suitable content, which reduces conversion and, accordingly, increases advertising costs. Even ordinary business card websites have been affected by the GDPR.

Moreover, use of personal data by business companies without taking into account the GDPR is threatened with huge fines, up to € 20 million, or 4% of annual turnover. Dozens of firms have already closed or sank in lengthy legal proceedings.

The main problem is that the Internet has captured the whole world, and EU citizens can visit any site beyond Europe. As a result, the GDPR hit the entire global web. What will happen to the data collected on their customers in companies that have already been liquidated is also unclear.

 Speaking officially, the act of the GDPR is extraterritorial and operates across the entire planet, and not only in the EU, which puts the CIS countries at risk too. 40% of European companies were not ready for the GDPR, to say nothing about the Russian business.

How the Russian business should operate under the GDPR: case study from Law&Trust International

Our company helps clients understand the intricacies of the GDPR and protect the business from serious sanctions, including the liquidation of legal entities. Law&Trust International experts have already accumulated enough practice and case studies that allow us to give a number of important practical advice to owners and management of enterprises.

For example, a software company turned to us in order to harmonize the site under the requirements of the GDPR. Their site, as well as the vast majority of similar Internet resources, collected the following information about users:

• IP address of the device from which the site was visited;
• technical characteristics of the device and browser;
• the full name of the user, his date of birth and other personal data (in case of registration).

The collection and storage of this information, without the consent of the user, threatens with great risk. To avoid fines, our client had to change not only the site settings, but also to reconfigure the architecture of the mobile application. Here are the changes he made on our recommendations:

• all site visitors now see a detailed notification what personal data (PD) will be collected and for what purpose;
• before working with the site, the user is obliged to familiarize himself with the privacy policy and give consent for the company to use its PD;
• legal documents of the company were brought into conformity with the norms of the GDPR.

How to conduct an express audit of your business

To avoid fines, we recommend you immediately contact the experts. If they are out of reach, remember the following important nuances:

1. you should be sound when assessing the risks in processing of personal data;
2. follow the requirements for processing personal data;
3. consider the GDPR criteria when developing software;
4. always get user consent for data processing;
5. be prepared that the user changes his mind, and you will have to delete his data as soon as possible;
6. always document the collection and processing of PD;
7. obtain parental consent for processing children’s PD;
8. determine in advance the EU body responsible for your market segment;
9. determine how to communicate with the regulator;
10. in an ideal scenario (in some cases it is mandatory) designate an employee in a company who will control the work with PD and interact with the regulator.

We urge the business not to be passive and timely respond to changes in the field of personal data protection, otherwise you will face huge fines and even the closure of the company. The sooner you contact us, the more money you will save in the future.

Get detailed consultation on adapting your business to the requirements of GDPR from our specialists. Waiting for you.