On May 25, 2018, the General Data Protection Regulation of the European Union (EU) entered into force. The regulation consists of new principles such as accountability of data processing organizations, data portability, obligation to report data breaches, and more. This will make it easier for data processing organizations to operate in the EU and follow data processing rules. It is important to note that the regulation applies not only to EU-registered organizations, but also to organizations that are not registered with the EU, but process data from EU individuals. Since there are quite high sanctions for violating the rules of regulation, it is important for organizations to know what their obligations are and how to ensure compliance with the regulations governing their activities.

1. To whom does the regulation apply

The EU General Data Protection Regulation applies to any organization registered in the EU that processes personal data as part of its activities.

• Process the data of persons on the territory of the European Union in order to provide services or products to them, regardless of whether the service or product is paid;
• Monitor the behavior of individuals on the territory of the European Union;

In assessing the prevalence of regulation, the following factors should be considered: whether the organization has a website in any official language of the European Union, whether the price of products / services is set in the EU currency, whether the organization offers customer service in EU member states and more. Behavior monitoring of the actions of individuals on EU territory can be considered online to assess their interests and attitudes; For example, if a developer uses the data of the application created by it for targeted marketing, it may be subject to regulation. If a regulation applies to an organization registered outside the EU, it must appoint a representative to the EU.

Exempted from the obligation to appoint a representative:

• Public agencies;
• Organizations that rarely (in some cases) process personal data of individuals in the EU do not process large amounts of data in a particular category, and processing is unlikely to jeopardize the rights of individuals;

2. Principles of data processing

Organizations must process the data in accordance with the following principles:

• Data must be processed legally and fairly; Processing information should be readily available to the individual;
• Data should only be collected for specific, clearly defined, lawful purposes;
• The data should be processed only to the extent necessary to achieve a specific legal purpose;
• The data must be accurate and, if necessary, updated;
• Once the purpose for which the data is being processed has been achieved, it must be stored in a form identifying the person;
• When processing data, their security and safety from unauthorized or illegal processing, accidental loss, destruction and damage must be ensured;

It is recommended to follow the principles of regulation:

• Development of data protection / information security policy;
• Accounting for personal data, processing grounds and actions taken against data;
• Informing / retraining the employees involved in the data processing process;
• Storage of documents related to data processing (for example, a person's written consent to data processing) for a specified period of time;
• Risk assessment related to data processing;
• Determining data storage deadlines and relevant procedures;
• Developing a code of conduct or joining a code of conduct already approved in the field of activity;
• Voluntary certification;

3. Basics of data processing

Under the new regulation, data processing is legal if it is carried out on one of the following grounds:

The person has consented to the processing of his data for one or more specific purposes;

• Processing is necessary to fulfill the contract with the person, or to prepare the contract at his / her request;
• Processing is necessary for the organization to perform its legal duties;
• Processing is necessary to protect a person’s vital interests;
• Processing is necessary for the exercise of the powers conferred on the public by the functions or organization granted by the public interest;
• Processing is necessary to protect the legitimate interests of the organization or a third party;

4. Consent

Consent is one of the most common grounds for data processing. The regulation sets out the specific requirements that an organization must comply with when obtaining consent from a person:

Consent must be voluntary, informed and clearly expressed;

• Prior to expressing consent, the person shall be provided with comprehensive information on data processing in an understandable language;
• The person must consent to active action; Silence, inaction, or pre-marked graphs will not be considered as consent;
• Consent must be given to the processing of data for specific purposes;
• If the data is to be processed for more than one purpose, it is necessary for the person to consent to the processing of the data for each purpose;
• The terms of consent in the documents must be separated from other text and must be formulated in a simple and understandable language;
• A person has the right to withdraw his consent at any time. The procedure should be as simple as expressing consent. The person must be informed of this right in advance;
• When providing services to 5 minors under the age of 16 electronically, consent is given by the parent or legal representative;

5. Rights of the person

The regulation strengthens the rights of the individual and defines the new capabilities of the data subject, and imposes appropriate obligations on the data processing organizations.

Right to access data

• The organization has an obligation to inform the person whether he / she is processing the data about him / her;
• Upon request, the person should be explained the purposes of the processing, the categories of data processed, the terms of data storage, and so on;
• In the first case of requesting information, a copy of the data must be provided to the person free of charge. In case of repeated request for information / documents, the organization may impose a reasonable fee;

The right to delete data

The organization is required to delete data if, for example:

• Data is no longer needed to achieve the purpose for which it was collected or processed;
• Processing will be carried out illegally;
• The person will consent to the processing of the data;

Block data

• The regulation obliges organizations to block data in several cases. For example, if a person asks for data to be corrected, the organization must block the data until the issue of data accuracy / authenticity is resolved. Also, if a person requests the termination of data processing, the organization must ensure that they are blocked before the existence of a legitimate interest in the processing is established. The organization should block the data even if the illegality of the data processing is established, but the person does not want to delete them;
• If the data is transferred to third parties, the organization must notify all data recipients of the data blocking, if possible and does not require disproportionately much effort;

The right to port data

A person has the right to receive data from the organization (which he / she provided to the organization) in a structured, electronic way. 13 and hand it over to another organization when:

• Data processing is done with the consent of the person or under a contractual obligation;
• Data processing is done by automatic means;
• If this is technically possible, a person may request the organization to transfer its personal data directly to another organization;

6. Consideration of data protection standards in the process of creating a new product or service ("Privacy by Design") and data protection as a first parameter ("Privacy by Default")

Taking into account the data category, volume, processing goals, basics, technical means and risks, organizations are obliged to take the necessary technical and organizational measures for data protection at the stage of determining the means of processing. These measures (e.g., pseudonymization 10) should be taken directly into account when creating processing tools, such as an electronic program.

Organizations are required from the outset to ensure compliance with data volume and processing time for a specific legal purpose. The data itself ("by default") should not be accessible to an indefinite circle of individuals. For example, the operator of a social network or application should ensure that the primary setting is private when a user posts a photo, and only then will it become public if the person himself changes the appropriate setting.

7. Evaluate data processing risks

According to the regulation, the evaluation process should include at least the following:

• A description of the planned data processing process and objectives;
• Assessing the need and proportionality of data processing;
• Assessing the risks associated with individual rights;
• A list of measures that reduce risks and ensure compliance with regulations;

8. Data Protection Officer

A data protection officer is a person who, within the organization, controls the compliance of the data processing process with the requirements established by the regulation. The appointment of a data protection officer is mandatory if the organization:

• Regularly and systematically monitors a large number of individuals;
• Handles large amounts of data related to a particular category or conviction;
• This is provided by the legislation of the EU member state.

The functions of a data protection officer should include at least:

• Informing employees involved in the organization and processing process about their responsibilities;
• Internal control of the data processing process in the organization;
• Participate in the assessment of data processing risks as needed and oversee this process;
• Cooperation with the Personal Data Protection Supervisory Authority;
• Performing the function of a contact person in relations with the supervisory body of personal data protection and issues related to the protection of personal data;
• A group of companies may appoint one data protection officer to perform the functions of an officer for all companies in the group;
• Contact data of the Data Protection Officer must be publicly available;
• The data protection officer must be accountable directly to the top-level governing body, however, he must be independent in his activities;

! If the organization fails to comply with the terms of the regulation, the responsibility lies with the organization and not with the data protection officer.

9. Fines

Violations of the rules of regulation are divided into two categories:

The first category of violations:

• The organization has not fulfilled its obligation to report data breaches;
• An organization registered outside the territory of the European Union has not appointed a representative to the European Union;
• Data protection standards were not taken into account in the process of creating processing facilities;
• No action was taken against the data;
• And for other violations of this category the maximum amount of the fine is 10,000,000 Euros or 2% of the company’s annual turnover;

The second category of violations:

• The organization violated the rules of consent of the person;
• The rights of the person have been violated;
• The rules related to international data transmission have been violated;
• The organization did not follow the instructions of the supervisory body or obstructed the inspection process;
• etc

The maximum fine for violations in this category is 20,000,000 euros or 4% of the company's annual turnover.