Our privacy professionals created GDPR Longread to explain in one article all important rules. Especially we took attention to topics, which are making a lot of employees confused.
Now let’s start to study GDPR step by step.
Have you ever wondered where fingerprints or face shots are stored to unlock your smartphone? Or why, when placing an order in an online store, you are asked to indicate your date of birth, which seems to be superfluous information for a purchase? Can anyone access your health record at the clinic? How companies find your phone number to contact you and tell you about an exhibition or sale? And what do social networks know about their users?
Every day we share with others what is commonly called personal data. For example, when dating or communicating, when looking for a job or making an appointment with a doctor, ordering goods or paying for services. And all that without even thinking about what will happen with these data further.
So why do we need GDPR? With the advent and development of technology, people have become more generous with personal data, because in return they get convenience and comfort. We are so used to it that we cannot imagine our world in any other way. However, does this mean that it is safer to live now? Not at all. Any piece of information can very well be used against ourselves. And, alas, we, the data subjects, have lost control over our data in the new digital reality.
In the European Union they have taken up this issue seriously. And, as a result, on April 27, 2016, the General Data Protection Regulation was adopted. The new law came into force only two years later (May 25, 2018), so that businesses had enough time to get prepared. The GDPR rules have fundamentally changed the previous legal framework of privacy protection in Europe, which was almost two decades old. And of course, it raised a lot of questions: what should we do? who should we contact? how dangerous is non-compliance?
In all matters related to the implementation of the Regulation, the concept of "personal data" plays an important role, because the GDPR only applies where personal data exist. Let's examine the definition in more detail.
Under the GDPR, personal data is any information relating to an identified or identifiable natural person ("data subject", i.e. a person).
An identified individual is a person whose identifier (name, phone number, personal ID, login, etc.) is contained among the data.
Accordingly, an identifiable individual is a person who can be identified, that is, who can be distinguished from other people.
Personal data is not only the identifier itself but also the information that relates to a person. And there are certain nuances as well.
Without an identifier, the information becomes anonymous. Relating information and an incomplete identifier will constitute personal data only in cases where it is possible to conduct additional "investigation" without using special devices and without excessive time and effort.
That is, if we do not have a reasonable opportunity to identify the data subject, then such information is not personal, but anonymous.
For example, personal data includes information describing the data subject - Ivan Kupala is 38 years old and a lawyer. In this case, personal information is not only the person's name but also his profession and age.
If we don't know the full name, but we know that someone named Ivan in our city is 38 years old, that information will be anonymous to us.
However, if we are told that someone named Ivan is 38 years old, lives in our city, and works at a small law firm called "Kupala & Associates Law Office", we will be able to easily identify the person. This information would be classified as personal data.
In simple terms, name, passport number, ID card, username, nickname, email address, phone number, IP address, bank card details are always personal data because they are identifiers. A vehicle number, handwriting, video, or photo are likely to constitute personal data because they make it easy to identify a person. Whereas address, marital status, sex, gender, e-wallet details, health data, page views, search queries, social media posts are personal data provided it is known to whom exactly they relate.
It is important to note that the definition of personal data is gradually changing. Previously, before the era of computers and cell phones, for data to be considered personal data, it was sufficient that a person could hypothetically be identified by anyone on Earth using that data. Now, this criterion is narrowed down only to the circle of people who can potentially gain access to this data and use it for identification purposes.
First of all, the new regulation was adopted due to the technological progress as people are under risk to lose their right to privacy. We already told about what privacy is and how it dissipates in the modern world. Now let's talk about the rights that we, as data subjects, can exercise under the GDPR.
Right to access (Article 15 GDPR)
Each person has the right to receive their personal data or get access to them. This right extends not only on the information that data subject provided by theirselves, but also on the information that a company (data controller) has collected about them. Here you can find more details about the roles of the controller and the processor. The data subject may not even suspect that such collection has taken place, and this right enables the data subject to find out about:
How shall a company provide the data subject with the information? The company must provide personal data in any form in which a person requests it: it can be an email or a paper document. Alternatively, the company can give a person access to their data, for example, in their personal account. According to the rules of the Regulation, data are provided free of charge. Only in exceptional cases the company is entitled to claim the data subject for fee. For example, the company might charge a fee for making additional copies or for providing an overly large amount of information.
Right to rectification (Article 16 GDPR)
A data subject has the right to obtain the rectification of inaccurate personal data which are processed by the company. This can happen if the data subject changes their passport/id card, surname or place of residence, or there is a mistake in their personal data. This right is important for the data subject when accurate and complete information is required for processing.
Right to erasure (‘right to be forgotten’) (Article 17 GDPR)
In other words this is the right to be forgotten. The data subject has the right to obtain from the controller the erasure of personal data concerning him or her. But that’s not that simple. There are only few grounds in GDPR when this right is to be exercised:
Let's take a closer look at the last point. Article 8 of the Regulation deals with the processing of personal data of children. The child's consent is valid only if: 1) the child is at least 16 years old or 2) in addition to it, the consent / permission of the parent has been obtained. The fact is that children do not always understand what their actions on the Internet can result. Therefore, when you receive a request to erase such data, you need to do it immediately.
For example, 22-year-old Maria noticed that 8 years ago she registered on various gaming sites that collected and processed her personal data. Parents confirmed her consent to participate in various promotions and sweepstakes on these sites. And now when the GDPR is in effect, Maria can obtain the erasure of all information about her participation in promotions and sweepstakes, which was collected when she was still a child.
The right to be forgotten is not an absolute one. For instance, it is balanced by the freedom of speech and press and the necessity of processing for archiving purposes in the public interest, scientific and historical research.
Right to restriction of processing (Article 18 GDPR)
Article 18 of GDPR provides a data subject with the right to obtain the restriction of processing where one of the following applies:
“Restriction of processing” can be understood as “freezing of processing”. The data is still stored but not used in any way.
We also discussed what the right to access, the right to rectification, the right to erasure and the right to restriction of processing are here.
Right to data portability (Article 20 GDPR)
The data subject has the right to receive the personal data concerning him or her in a machine-readable format if it is technically possible. At first glance, it does differ from the right to access, but here we are talking about files that another controller can import into their system. There are two ground for this right to be exercised:
➔ firstly, if the processing is based on consent or contract;
➔ secondly, the processing is carried out by automated means.
To avoid data breaches, a machine-readable file can be transmitted from one controller to another directly, without intermediaries. For example, the social network Vkontakte will transmit all your photo albums to Facebook per one click. Meanwhile it is quite difficult to implement such a mechanism from both the technical and financial points of views. Google, Facebook, Microsoft, Twitter and Apple are currently working on the Data Transfer Project, an open source initiative to develop tools to transmit data directly.
We hope that in the future all companies will be able to carry out such transmissions following all the necessary security measures.
Right to object (Article 21 GDPR)
The data subject has the right to object to processing of personal data concerning him or her. However, this right can only be exercised if the processing is based on a legitimate or public interest.
The controller is obliged to consider the objection, analyze the situation and make a decision whether this processing is important to the company or the public and the interests of the person prevail in this particular case.
NB! If the subject objects to processing for direct marketing purposes, the processing should be stopped immediately.
Right to not to be subject to a decision based solely on automated processing (Article 22 GDPR)
In the modern world due to the rapid development of information technologies decisions are made not only by a person, but by automated means. The GDPR provides data subjects with the right to object to decisions made by a computer without a human being, since the algorithm could be erroneous or biased.
However, this right does not apply if:
Right to lodge a complaint with a supervisory authority (Article 77 GDPR)
The data subject has the right to lodge a complaint with a supervisory authority in the his or her habitual residence, place of work or place of the infringement (i.e. controller’s place). E.g. a data subject who lives and works in Moscow has the right to lodge a complaint with the supervisory authority in Paris if his or her rights were infringed by a French company. The supervisory authority shall consider the complaint and inform the complainant on the progress and the outcome of the complaint. If the data subject is not satisfied by the outcome of the complaint he or she has the right to judicial remedy (Article 78 GDPR).
Right to compensation (Article 82 GDPR)
In the case of the infringement of the GDPR, the controller (or processor) shall not only pay a fine, but also to provide the data subject with compensation for any damage caused by processing. More information about the right to portability, the right not to be subject to automated decision-making, the right to lodge a complaint with a supervisory authority and the right to compensation can be found here.
You can find more details about the right to data portability, objection, compensation and the possibility to lodge a complaint with a supervisory authority here.
Directive 96/46/EC, the predecessor of the Regulation, changed European legislation on the protection of personal data considerably. However, the GDPR spelled out these rules in more detail. This also applies to the six basic principles for processing of personal information in the most important article of the law, article 5 of the GDPR. We propose to go into them deeper.
1) Principle of lawfulness, fairness and transparency
Personal data can only be obtained by lawful means. There are only six lawful bases (Article 6 GDPR):
- vital interests;
- legal obligation;
- public interest;
- legitimate interest;
Before you collect data, you need to find one lawful basis (legal ground) in this list that fits your situation. If nothing fits, the processing will be illegal and you will infringe the Regulation. Fines for unlawful processing of personal data are widely applied and they are quite high.
Also, this principle requires that the data of various people be processed without discrimination or deception, that is, fairly. So there is an infringement when you use phone model information to charge higher prices to their owners.
Transparent processing means that people have access to information about the purpose, timing, and scope of the processing in as clear and simple way as possible. It is important that people who do not have specific knowledge of GDPR can understand what is being talked about. Subjects should not have any further questions on why and on what basis their data is being processed.
2) The principle of purpose limitation
For any processing, the company shall indicate a specific purpose and then strictly adhere to that purpose without going beyond it. For example, if you request a customer's address to deliver a product to him, you may not send Christmas greetings to that address, because that's a different purpose that you didn't define.
3) The principle of data minimization
It follows from the previous principle that every processing must have a specific purpose and the company must not go beyond that purpose. The data minimization principle, on the other hand, states that companies cannot collect unnecessary customer data. Unnecessary data are those without which the purpose still can be achieved. I.e. the companies are not allowed to process data which are not needed to meet the defined purpose. If you request the information to deliver a product to a customer, an address and phone number for prompt communication is enough, but the date of birth would be unnecessary for your purpose.
4) The principle of accuracy
Personal data must be accurate and up-to-date to the extent that it accomplishes the stated purpose. Following the Regulation, the company must take all necessary steps to update or delete incorrect information. For example, if a regular customer changes his or her address, we must correct it in our system so that the customer receives his or her package.
5) The principle of storage limitation
Once all defined purposes have been met, the information should be erased. The storage limitation principle means that personal data cannot be used for longer than it is needed to fulfill the purpose of processing. For example, if someone ordered a pizza from your restaurant one time, you should no longer have that address in your system the next day, because the pizza was delivered (purpose achieved).
6) The principle of integrity and confidentiality
Personal data have always been a threat to its subjects. But in the era of information society, the amount of data and the level of threats have increased, and therefore the Regulation obliges to protect personal data from unauthorized or accidental access, damage or destruction. It is especially important in the 21st century to build a system of information security that would prevent data breaches.
For example, when delivering medicines at home, we must hide from the recipient the names of other buyers on the list, say, by simply covering them with a piece of paper when the person signs for delivery.
7) The principle of accountability
Under the Article 5(2) of the GDPR, we are required at all times to be able to demonstrate that we have complied with all of the above principles. Moreover, failure to prove compliance is tantamount to non-compliance (presumption of guilt).
For example, if we are unable, through internal documentation or a demonstration of software functionality, to prove that our system erases the addresses to which pizzas were delivered, then we have infringed the principle of accountability. A supervisory authority can issue us a fine without having to delve into investigating whether or not we are actually storing data longer than necessary.
We hope you now have an idea of all the data processing principles of GDPR. However, this is only the first step. The regulation is not just a set of rules that you can learn and universally apply. There are a lot of exceptions, so if necessary, don't be afraid to turn to professionals who can help you build the right path to a properly aligned GDPR data protection system.
Any company whose business activities are somehow related to the European Union should consider GDPR compliance. You don't even have to have offices in EU countries to be subject to the Regulation.
Now let's explain how you can determine whether your company needs to be GDPR compliant regarding to a particular business process.
Yes, you heard it right. GDPR doesn't apply to companies, but to particular business processes ("processing") using personal data. For some companies, all processing will be subject to GDPR, but for others, only some processes. Let's find out which ones.
First, ask yourself the question, "Is there personal data used in this process?" Is the answer positive? Then there are five more steps ahead. However, in some cases, you only need one "yes" for the GDPR rules to apply to the relevant process in your company.
Step 1: Does your company have organizational units within the EU?
Before answering this question, we need to understand the concept of ‘establishment’. According to the recital 22, an establishment does not have to be a legal entity. It can be not only a branch or representative office, but also an office, a remote workplace, or even a single employee. If your company has any of the above in any of the EU countries, and that establishment is processing data, then the GDPR is mandatory for that processing.
Let's explain using the Weltimmo legal precedent. There is a company registered in Slovakia, which operates also in Hungary, where it has a mailbox, a bank account and a representative. The question came up as to whether the law of which country - Slovakia or Hungary - applies to the activities of the company through the representative in Hungary in this case. After a hearing, the European Court of Justice (CJEU) decided that Hungarian law was applicable. The reasoning was that the organization has a representative in Hungary, even if not registered as a branch, sends and receives letters at a Hungarian address, uses a bank account with a local bank, and therefore carries out regular work in Hungary.
The GDPR also applies to non-EU processing in the context of the activities of that entity, i.e. processes in your non-European company (subsidiary or parent) that are closely related to the activities of the European entity. For example, in the case of González v. Google Spain" the Court recognized that the search indexing as a processing of personal data which was carried out in the United States is in the context of the activities of the Spanish entity Google Spain, and therefore must comply with European rules.
If you answered ‘yes’ to this Step, then the GDPR applies to your processing of personal data and you do not need to go through the rest of the Steps of the scheme. You can now run the following processing through the schema.
Step 2: Is the data subject in the EU?
It's not about citizenship. It's about where the data subjects are located. If you're working with personal data from people in the EU, go to Step 3. If your subjects are outside the EU, you need to comply with the national laws of the country where the processing takes place (e.g. 152-FZ in Russia).
So, if you have a Spanish citizen working in your office in Moscow, the GDPR does not apply to the processing of his or her information. You don’t need to go through other steps of the scheme.
If one of the data subjects is physically located in the EU, then go to Step 3.
Step 3: Is your processing related to the offer of goods and services to EU entities?
You are currently in this step of the scheme if your company, which does not have any establishment in the EU, sells goods or provides services to Europeans, e.g., via the Internet. In this case, it doesn’t matter whether you charge your customers or not. For example, the free version of the mobile app that you downloaded is also a service.
Since the Regulation applies to the particular processing, you need to analyze a separate process. The processes can be different, for example:
- Recruiting employees for the Moscow office,
- password recovery from an online service,
- retargeting/ remarketing of visitors who have visited your site;
- evaluation questionnaire.
In the above list, retargeting/ remarketing is a direct offer of a good or service, the evaluation questionnaire and password recovery are connected with the provision of a service. Hence regarding these processing operations we answer ‘yes’ to question #3 and move on to Step 4.
But hiring employees to the Moscow office is a processing of personal data not directly related to the offer of goods and services to Europeans. The job offer is neither a product nor a service. Therefore, according to the scheme, we go straight to Step 5, where we will check whether we are monitoring the behavior of candidates for the position.
Another example: a Ukrainian online education platform sells its programming courses in English all over the world, including the EU. Question: does the platform need to comply with GDPR? The online courses on this platform are services and we answer ‘yes’ to the question #3. So we need to go to Step 4 to find out if the activity is aimed at at least one EU country.
Step 4: Do you cover the possibility to provide goods and services to the subjects in the EU?
In fact, this is a question about presence in the European market. Sometimes it can be unclear whether GDPR applies when you receive an order from a person from the EU. In that case, the question to ask is, "Did you intend to offer goods or services in the EU, or is the order incidental?" The answer to this question is not always obvious.
For example, a store from Grodno (Belarus) sells designer clothes. The company's website is available in Russian, Belarusian and English. Orders are accepted in any currency, and delivery is worldwide. It can be assumed that there is a targeting on the EU market. So, if an order comes from someone who lives in the European Union, you have to comply with the GDPR when processing the order.
Reverse example. The store is located in Minsk and delivers flowers around the city for Belarusian rubles. At the same time, a resident of Poland ordered flowers on the store's website to deliver them to his girlfriend from Belarus. Since the store initially targets only Minsk citizens and does not intend to go outside the country, the Pole who placed the order will not be protected by the GDPR.
So if your answer ‘yes’ to the question about being in the EU market in Step 4, then the GDPR will apply to your processing. If your answer is "no," then skip to Step 5.
Step 5. Does the processing involve monitoring the behavior of individuals who are in the EU (e.g., using Google Analytics)?
"Monitoring of behavior" involves surveillance and subsequent behavioral analysis/profiling of individuals. Mostly non-EU companies do this via the Internet in order to predict people's personal preferences, behavior and attitudes.
Consequently, if you are monitoring your European consumers, this process is governed by the GDPR.
An example of monitoring would be tracking users' behavior on a website using cookies. This allows you to offer them more relevant products or services, which is often used by online store owners.
A few more cases from the supervisory authority's guidelines:
So if you answered the monitoring question positively, the GDPR will apply to the processing. If it's negative, then you don't need to apply GDPR to the processing. Don't forget, though, to comply with your national data protection laws.
As we can see, the scope of GDPR is very broad. A large number of small, medium and large businesses both within and outside of the EU that process their customers' personal data fall under its scope. We've highlighted the list of companies that shall definitely pay attention to GDPR compliance:
- IT product and IT outsourcers;
- banks and fintech companies;
- hospitals and medical centers;
- online schools and course hubs;
- e-commerce and online stores;
- hospitality businesses and hostels;
- travel services and agents;
- logistics and transportation (air, road, rail, sea, etc.);
- communication and telecommunication services.
The Regulation is one of the most pressing issues of concern to entrepreneurs around the world. But GDPR compliance turns into a competitive advantage. You need to put some time and effort to achieve compliance, and in return you will receive respect and trust of customers and partners.
Obviously, if you've got to this point, whether to implement the GDPR or not is definitely out of question. Let's talk about the specific actions a company needs to take in order to comply.
GDPR-compliance is, first of all, the alignment of a company's business processes in accordance with the rules of the Regulation. According to the international ISO standard, implementation of the GDPR includes the following measures.
Building a system
Lawfulness of data processing
Transparency of processing and right of data subjects
Purpose limitation, data minimisation and limitation of data retention period
Data Privacy Officer (DPO)
It seems that all this is complicated and incomprehensible? Let's take a closer look at some of the things.
Each processing should have a purpose. For example, a person decides to purchase a plane ticket. You have to explain clearly: the company collects your passport data (processing) so that you can purchase a ticket (purpose 1) and to check if you are not blacklisted to enter this country (purpose 2). There should be a legal basis for each purpose.
NB! Think of a legal basis, which is appropriate for purpose 1 and purpose 2 (they may be different legal bases).
There are the following types of legal bases for personal data processing:
In the example of selling an airplane ticket and checking against the “black list”, two different legal bases are used: for purpose 1 - a contract, for purpose 2 - a legal obligation.
Which documents must a company have in order to comply with GDPR requirements? Our consultants are often asked this question. But there is no answer and there can't be one. The fact is that the documentation reflects the measures taken by the company and is not required by any legal act per se (since paperwork alone is not a demonstration of compliance). Not all the measures are mandatory for companies, although there are some that are necessary for most of them.
Examples of GDPR Documents are:
Binding Corporate Rules (BCR)
Bring Your Own Device Policy
Business Continuity Plan
Contact list for Breach Response Team
Cross Border Personal Data Transfer Procedure
Data Breach Notification Letter to Data Subjects (template)
Data Breach Register
Data Breach Report
Data Breach Response Plan
Data Processing Agreement (DPA)
Data Protection Impact Assessment (DPIA)
Data Protection Policy (internal)
Data Protection Officer (DPO) Job Description
Data Retention Policy
Data Sharing Agreement
Data Subject Access Request Form
Data Subject Access Request Procedure
Data Subject Change Request Form
Data Subject Consent Form
Data Subject Consent Withdrawal Form
DPIA Register with Log of DPIA Outcomes and Implementation of Mitigating Controls
DPIA Threshold Assessment
Employee Privacy Notice
Enterprise Privacy Risk Assessment
Guidelines for Data Inventory and Processing Activities Mapping
Incident Report Form
Information Assets for Disposal Log
Internal Audit Checklist
Internal Audit Procedure
Internal Audit Report
Joint Controllership Agreement
Legitimate Interest Assessment (LIA)
Letter of Appointment of Data Protection Officer (DPO)
Parental Consent Form
Parental Consent Withdrawal Form
Privacy or Data Protection Notice
Processor GDPR Compliance Questionnaire
Project Plan for Complying with the EU GDPR
Register of Data Transfers
Register of Privacy Notices
Register of Processing Activities (RoPA)
Standard Contractual Clauses (SCC)
Let's focus on some of these documents in more detail.
A DPA is a data processing agreement that must specify the following aspects (Art. 28 GDPR):
Standard Contractual Clauses (SCC) supplement or replace the DPA in the case of cross-border data transfers.
When we are going to transfer data from the EU outside the EU, the DPA alone may not be enough. In order to perform a cross-border transfer, we first need to know whether the country provides an adequate (sufficient) level of data protection. If the country is "inadequate," you can find out how to handle a cross-border data transfer here.
In brief, you can use these very SCC approved by the European Commission. Standard Contractual Clauses (SCC) is a model contract that is concluded between the controller and the processor. Its form cannot be changed because it is standard. However, situations may arise where additional provisions need to be specified, such as the allocation of costs for audits of personal data protection. Then we do the following: the company concludes a DPA with these additional provisions, and the SCC is an appendix to it.
The privacy notice (policy) is a public document that describes the fate of the personal data that the customer entrusts to us. It explains, for example, what personal data is processed by the company and to whom it is transfered.
In the past, before the widespread dissemination of the GDPR, only lawyers could understand the text of the document: it had too many complicated terms and constructions. Today, according to one of the requirements of the GDPR (Article 12 of the GDPR), a company must inform users not by means of legal language, but in a concise, transparent, understandable way, without using complex terminology (interactivity is only encouraged). For more details on what and how to write in privacy notices (policies), see GDPR articles 12, 13, and 14, or below in the text.
There are slight differences in the requirements depending on whether the company collects personal data directly from the data subject or through intermediaries (recipients). Let's look at each case.
If a company collects personal data from an individual directly, it must include the following information in the policy:
DPIA (Data Protection Impact Assessment) is a method used to systematically and comprehensively analyze the risks caused by data processing and to select protection measures.
In fact, we do not look at the risks to the company, but at the risks of violating people's rights and freedoms. This includes, inter alia, the threat of psychological, physical, social, and economic harm to data subjects.
If you understand that data processing is likely to result in serious risk, make sure you do a DPIA before you start the processing. Article 35(3) of the GDPR provides examples where serious negative consequences are likely to occur. In these cases, a DPIA is mandatory. These are, for example:
Thus, the Data Protection Impact Assessment is a kind of safety cushion that allows you to identify risks and prevent them. It will be the right investment for the future of the company since it protects against problems with supervisory authorities, partners, and customers.
LIA - Legitimate Interest Assessment
If you work with personal data on the basis of legitimate interest, you have to do a legitimate interest assessment. This is both a formal procedure and a document, the contents of which are clearly stipulated. During a LIA, you have to weigh the pros and cons of processing for both the company and the data subject.
The LIA is conducted in three stages:
The legitimate interests of the company should be reviewed periodically. Over time, depending on external and internal factors, the purpose, nature or context of the processing may change. There is a good chance that this will affect the balance between you and the data subject. Consequently, the LIA should be updated accordingly.
This procedure helps to avoid problems in the future and build customer trust, while not to the detriment of the organization itself.
This procedure helps to avoid problems in the future and build customer trust, while not to the detriment of the organization itself.
By training employees and heads of departments how to deal with personal data the company reduces its GDPR risks and increases customer loyalty. Starting with training courses and certifications by Data Privacy Office is an effective step towards GDPR-Compliance.
The GDPR Data Privacy Professional course is the most popular GDPR course in the CIS countries, which has been conducted since 2018. It will provide you not only with comprehensive knowledge of the GDPR, but also with understanding of the logic of European standards in terms of personal data protection. The course is suitable for employees of different backgrounds, including non-lawyers. It is available in a group format (both online and offline), as well as in a self-paced mode.
GDPR Data Privacy Manager will provide those who are already working with GDPR “in the field” with everything they need to organize, maintain and manage a company's personal data protection system throughout the entire lifecycle of the system. As a result, such managers not only know and understand the requirements of the GDPR, but also know how to make all this work in any company. This course can be taken in a group (online).
The GDPR Data Privacy Technologist course covers the main aspects of ensuring data privacy in IT products and services. It is aimed at building personal data protection processes within the course of development and use of IT products. This course is available only in a self-paced mode (recording).
CIPP/E (Certified Information Privacy Professional / Europe) Preparation Coaching
Prepare for the international exam in the field of information privacy CIPP/E under guidance of certified experts. The syllabus of coaching matches the list of topics to be covered during the CIPP/E exam:
The decision to resort to a consultant is especially important when deadlines are tight and there is no room for error. The consultant will ensure that your actions are correct and provide you with a clear rationale. If you turn to Data Privacy Office consultants, they will also take into consideration peculiarities of your business, as well as the resources and processes available.
Клиенты Data Privacy Office зачастую заказывают комплексные продукты вроде GDPR Roadmap или Аутсорс DPO. Речь о них пойдет чуть ниже. Но некоторые выбирают отдельные услуги по GDPR (Аудит соответствия GDPR, Аудит политики приватности, Проведение DPIA, GDPR gap analysis, Data mapping, Privacy Engineering Team, Реестр персональных данных).
The program is designed for systematic implementation of personal data protection in accordance with the international standard ISO 27701. It is suitable for all types of companies: from IT startups to large banks and fintech companies. This is your opportunity to delegate coordination of the project to bring your business to GDPR-Compliance. We use our own “GDPR Roadmap” methodology to quickly set up personal data protection in small companies that do not have a set of well-built business-processes yet.
Check details here.
The company gets an experienced and competent specialist who is able to promptly and correctly resolve issues related to the GDPR and - what is equally important - to take responsibility for them. The Data Privacy Office expert embodies your protection against the supervisory authority. The functions of the DPO include the following:
A PETeam is a team formed by a certified GDPR expert, an engineer (software architect), and, if necessary, one or more programmers. All you need to do is to test the work and implement solutions. The PETeam provides support with the following tasks:
As you may have realized, the General Data Protection Regulation is a serious legal act of direct application, the violation of which entails serious sanctions. The European Union, endeavoring to guarantee the protection of personal data, has set quite severe penalties.
Violations of the Regulation are subject to fines of up to EUR 10,000,000 or up to EUR 20,000,000: the amount varies depending on the GDPR article. If the company's turnover is over half a billion euros, the maximum penalty is calculated as a percentage of the global turnover for the previous year: from 2% to 4%. The sanctions are set by Article 83 of the GDPR.
Importantly, supervisory authorities have the right to impose administrative fines on both controllers and data processors. Fines can be imposed instead of, or together with other measures prescribed by the supervisory authorities.
The top 5 largest fines during the period of application of the Regulation:
These five cases only prove the importance of complying with the GDPR. Implementing GDPR is usually much more profitable for a company than acting on a "maybe we'll get away with it" principle. Regulators usually find violations due to dissatisfied customers, the media, bloggers, disgruntled former employees, etc. In addition, privacy becomes a marketing differentiator for new brands and attracts customers. Finally, getting your systems in order and putting processes in place is a task that any business seeking success will face sooner or later.
We hope you found this article helpful. Now you understand the basic rules of the GDPR and how to work with them. However, if it is difficult for you to cope on your own, then you can always turn to our experts for help. This will become an investment in the future of your company, as well as a competitive advantage in the market right now. So, as a GDPR-Compliant, you will earn trust and respect from customers and partners, which is undoubtedly a valuable resource for any business.