Carding Forum
Professional
GDPR is a general data protection regulation that is binding and imposes high fines for violators
What you need to know about GDPR and how it affects your business.
May 25, 2018 after a seven-year process of preparation went into effect the General Rules for Data Protection (General Data Protection Regulation, GDPR). This document has already influenced many areas of life and business: from technology and medicine to advertising and banking. At the same time, the provisions of the new regulation apply not only to citizens and companies-residents of the EU.
The editorial staff of PaySpace Magazine invites once again to pay attention to the main provisions of the document and invites you to the profile event GDPR Summit Ukraine, which will be held on October 7 in Kiev and will traditionally become a platform for popularizing European principles of processing and protecting personal data in Ukraine, sharing experience in implementing GDPR between organizations of different industries economy.
Main definitions of the GDPR
First of all, it should be noted that the regulation has significantly expanded the interpretation of personal data.
The Regulation also regulates the monitoring of the behavior of data subjects by companies.
Business representatives should understand in two terms - the data controller (data controller), and the data controller (data processor). It is easy to distinguish between them - if your organization determines the purposes of storing or processing personal data, it is the controller. If an organization stores or processes this data on behalf of another organization, then it falls under the definition of a "data operator". In this case, one company can act in both roles.
In addition, the GDPR also regulates the monitoring of the behavior of data subjects by companies - for example, tracking an EU resident on the network (including the use of cookies) or the use of data processing methods to profile individuals, their behavior or attitudes towards something.
GDPR data processing principles
Legality, fairness and transparency - information about the purposes, methods and volumes of personal data processing should be presented as accessible and simple as possible.
Purpose limitation - the companies can collect and use user data only for the stated and voiced purposes.
Data Minimization - Companies are prohibited from collecting more data than is necessary to achieve their stated goals.
The principles of data processing under the GDPR are outlined.
Accuracy - inaccurate personal data must be deleted or corrected at the request of the user.
Restriction of storage - the period and form of data storage must correspond to the purposes of processing.
Integrity and confidentiality - the company that processes personal data must ensure their protection from unauthorized access, destruction or damage.
Key provisions of the GDPR
The GDPR has significantly expanded the rights of EU citizens and residents to control their personal data:
GDPR coverage
The GDPR has an extraterritorial effect, which means that the regulation applies to all companies that process personal data of EU residents and citizens, regardless of the location of the companies themselves. Consequently, representatives of foreign companies in the EU must also follow the rules.
Organizations that store and process large amounts of consumer data need to be particularly closely monitored to ensure compliance with the new rules - and for many companies, these processes are at the heart of business models. Therefore, organizations need to appoint a person responsible for the protection of personal data (Data Protection Officer, DPO) to monitor compliance with the requirements GDPR and send information about him regulator. This officer is responsible for, among other things, notifying regulators (and in some cases data subjects) of any personal data breaches within 72 hours of the incident.
Facebook has launched a number of tools for GDPR compliance. Photo: technology.inquirer.net
Of course, the largest companies in the world took care of compliance with the new regulation in advance. In particular, Facebook launched a number of tools that "give people more control over their own privacy" - now users can easily find, download and delete certain data about themselves on the social network. The company also forced each user to accept the new user agreement.
In return, Apple launched its privacy dashboard, proudly noting that it collects far less personal data than its competitors and therefore does not need significant changes. Google has just gradually updated its products and privacy policy without drawing undue attention to it.
How a business is GDPR compliant
Non-compliance with GDPR regulations
In case of non-compliance with the provisions of the act, fines are provided for up to 20 million euros or in the amount of 4% of the company's annual income (whichever is the greater).
For non-compliance with the rules, huge fines are provided.
Consider a well-known case. Almost immediately after the GDPR went into effect, two legal activists' associations filed complaints against Google. As a result of the proceedings, the French supervisory authority issued a fine to the American company for incorrectly setting up the page for creating a Google account on the Android operating system. A violation of the obligation to provide transparency of information was revealed, as well as a violation of the obligation to have a legal basis for processing the personalization of advertising. The fine was € 50 million, the largest fine under the GDPR. The case is also interesting in that the fine was imposed on a company that was not incorporated in the EEA.
GDPR in Ukraine
At the beginning of the summer of 2021, the Verkhovna Rada registered bill No. 5628 on the protection of personal data. The document updates the current legislation in this area and introduces progressive European norms that comply with the provisions of Convention 108+ and the GDPR. This is an important step towards the integration of Ukraine with the European Union and to increase the competitiveness of Ukrainian business in the international arena, experts of the All-Ukrainian Association of Financial Companies believe.
What you need to know about GDPR and how it affects your business.
May 25, 2018 after a seven-year process of preparation went into effect the General Rules for Data Protection (General Data Protection Regulation, GDPR). This document has already influenced many areas of life and business: from technology and medicine to advertising and banking. At the same time, the provisions of the new regulation apply not only to citizens and companies-residents of the EU.
The editorial staff of PaySpace Magazine invites once again to pay attention to the main provisions of the document and invites you to the profile event GDPR Summit Ukraine, which will be held on October 7 in Kiev and will traditionally become a platform for popularizing European principles of processing and protecting personal data in Ukraine, sharing experience in implementing GDPR between organizations of different industries economy.
Main definitions of the GDPR
First of all, it should be noted that the regulation has significantly expanded the interpretation of personal data.
The Regulation also regulates the monitoring of the behavior of data subjects by companies.
Business representatives should understand in two terms - the data controller (data controller), and the data controller (data processor). It is easy to distinguish between them - if your organization determines the purposes of storing or processing personal data, it is the controller. If an organization stores or processes this data on behalf of another organization, then it falls under the definition of a "data operator". In this case, one company can act in both roles.
In addition, the GDPR also regulates the monitoring of the behavior of data subjects by companies - for example, tracking an EU resident on the network (including the use of cookies) or the use of data processing methods to profile individuals, their behavior or attitudes towards something.
GDPR data processing principles
Legality, fairness and transparency - information about the purposes, methods and volumes of personal data processing should be presented as accessible and simple as possible.
Purpose limitation - the companies can collect and use user data only for the stated and voiced purposes.
Data Minimization - Companies are prohibited from collecting more data than is necessary to achieve their stated goals.
The principles of data processing under the GDPR are outlined.
Accuracy - inaccurate personal data must be deleted or corrected at the request of the user.
Restriction of storage - the period and form of data storage must correspond to the purposes of processing.
Integrity and confidentiality - the company that processes personal data must ensure their protection from unauthorized access, destruction or damage.
Key provisions of the GDPR
The GDPR has significantly expanded the rights of EU citizens and residents to control their personal data:
- the data subject has the right to request confirmation of the fact of processing their data, all related information and processing conditions, to request the correction of their data in case of inaccuracies;
- the right to be forgotten - Europeans can demand the deletion of their personal data;
- the right to data portability - companies are required to provide an electronic copy of personal data to another company free of charge at the request of the subject of this data;
- consent to the processing of personal data must be expressed in the form of an approval or in the form of clear active actions of the user. The consent is also considered invalid if the user was not given a choice. The parents must give their consent to the processing of the child's data.
GDPR coverage
The GDPR has an extraterritorial effect, which means that the regulation applies to all companies that process personal data of EU residents and citizens, regardless of the location of the companies themselves. Consequently, representatives of foreign companies in the EU must also follow the rules.
Organizations that store and process large amounts of consumer data need to be particularly closely monitored to ensure compliance with the new rules - and for many companies, these processes are at the heart of business models. Therefore, organizations need to appoint a person responsible for the protection of personal data (Data Protection Officer, DPO) to monitor compliance with the requirements GDPR and send information about him regulator. This officer is responsible for, among other things, notifying regulators (and in some cases data subjects) of any personal data breaches within 72 hours of the incident.
Facebook has launched a number of tools for GDPR compliance. Photo: technology.inquirer.net
Of course, the largest companies in the world took care of compliance with the new regulation in advance. In particular, Facebook launched a number of tools that "give people more control over their own privacy" - now users can easily find, download and delete certain data about themselves on the social network. The company also forced each user to accept the new user agreement.
In return, Apple launched its privacy dashboard, proudly noting that it collects far less personal data than its competitors and therefore does not need significant changes. Google has just gradually updated its products and privacy policy without drawing undue attention to it.
How a business is GDPR compliant
- Conduct a comprehensive assessment of the methods and means of processing personal data used in the company and bring them in line with the new GDPR rules;
- Review the privacy policy and user agreements;
- Develop an internal data protection policy, train employees and audit their data processing activities;
- Consider mechanisms for responding to requests from European regulators and subjects of personal data.
Non-compliance with GDPR regulations
In case of non-compliance with the provisions of the act, fines are provided for up to 20 million euros or in the amount of 4% of the company's annual income (whichever is the greater).
For non-compliance with the rules, huge fines are provided.
Consider a well-known case. Almost immediately after the GDPR went into effect, two legal activists' associations filed complaints against Google. As a result of the proceedings, the French supervisory authority issued a fine to the American company for incorrectly setting up the page for creating a Google account on the Android operating system. A violation of the obligation to provide transparency of information was revealed, as well as a violation of the obligation to have a legal basis for processing the personalization of advertising. The fine was € 50 million, the largest fine under the GDPR. The case is also interesting in that the fine was imposed on a company that was not incorporated in the EEA.
GDPR in Ukraine
At the beginning of the summer of 2021, the Verkhovna Rada registered bill No. 5628 on the protection of personal data. The document updates the current legislation in this area and introduces progressive European norms that comply with the provisions of Convention 108+ and the GDPR. This is an important step towards the integration of Ukraine with the European Union and to increase the competitiveness of Ukrainian business in the international arena, experts of the All-Ukrainian Association of Financial Companies believe.
