GDPR: What you need to know before entering foreign markets

News feed

GDPR is a data protection regulation that was adopted by the European Union in May 2018. Yes, it has been two years since then, but many companies continue to get big by entering foreign markets with their applications and services. In this article, we have collected for you everything you need to know in order not to run into insane fines.

What is regulated by the GDPR

In short, this Regulation requires companies to inform their users that personal data is being collected on a website or mobile application. Notification of users should be clear and explain in an accessible form what data will be collected.

The full text of the Regulation can be viewed here. It is important to understand that the interpretation of the GDPR allows to refer to the concept of "personal data" literally any information about users - even cookies and technical data.

GDPR also has some key principles: for example, you must collect all data legally and with the explicit consent of the user. User consent is only one of the possible legal grounds for the processing of personal data. In general, a contract with the user and the legitimate interests of the operator are usually sufficient for legal processing. The amount of data you collect should be kept to the minimum necessary for your purposes. Storage and processing of data must comply with all security requirements and be limited by the time required for processing personal data. Safety requirements include:

  • Pseudonymization (anonymization) and data encryption;
  • Ensuring continuous confidentiality, integrity, availability and resilience of systems related to data processing;
  • Ability to promptly restore access to personal data if any incident occurs;
  • Regular testing and assessment of organizational and technical security measures for PD processing.
  • Make a road map for working with personal data. Train all personnel involved in the processing of user data in the new rules for working with personal data.
  • If your company is not located in the EU, you need a local representative. This person will act as your point of contact for all inquiries regarding personal data. Simply put, it is a link between you and users in the EU.
  • Surely you have users who registered before the GDPR, their data can only be processed upon obtaining consent.

This is about the EU, what has Russia to do with it?

That's right, it was the European Union that began to worry about the protection of the personal data of its citizens. But submission or non-compliance with the Regulations depends not only on the place of establishment of your company, but also on whether there are EU citizens among your audience (and to be precise, also from Norway, Iceland and Liechtenstein).

IMPORTANT: If you process or store user data from these countries, then welcome aboard the GDPR, you will have to adjust. Even if among your users there are citizens of the Russian Federation who permanently or temporarily reside or are simply located in the EU, you are still subject to the GDPR rules. Of course, all this is provided if you deliberately target your products and services to users from the EU or systematically chat with European users. If some random Frenchman visits the website of the Ryazan Regional Philharmonic Society, the GDPR will not take effect.

What if I don't want to adjust?

Then you can restrict access to your company's services to EU users. Well, if this is not done, then for non-compliance with the Regulations, companies face a fine of up to 20,000,000 euros, or up to 4% of the company's annual turnover for the previous year, whichever is the higher.

How not to violate the GDPR?

We came to the most interesting. Here is a small checklist for you that will help you understand whether you are ready to reach the EU audience in terms of collecting and storing personal data.

1. Make sure you notify users that you are collecting their data. That is, you must have a banner (or message) that clearly makes it clear that you intend to collect, store and process user personal data - processing notification. Users should be able to opt out of this procedure. In addition, it is necessary to provide users with a detailed privacy policy in which you list what data you collect, for what purposes, to which third parties you transfer this data. It is also necessary to indicate here what software and what marketing platforms you use.

For example: your company is sending newsletters using a third-party service. Then the agreement must

clearly indicate which user data and for what purposes will be transferred to this service (again, provided that the mailing service complies with the Regulations).

Another example: your company uses an analytics system - in the agreement, you also need to specify what data and for what purposes you transfer these services. Large systems like Yandex. Metrics and Google Analytics have released their guides on GDPR (Yandex, Google).

When the GDPR went into effect two years ago, many had their inboxes filled with letters about the GDPR asking them to accept the new agreement. And this is the right reassurance. Do not forget to explain exactly what data you will collect, as well as how long you will store it.

By the way, do not forget to inform the user about the changes in the message of consent to PD processing, as well as the date of the last change.

IMPORTANT: Consent must be formulated clearly, understandably and transparently, using simple language and wording. The user must give consent of his own free will, therefore, there is no need to make the appropriate field with a tick already ticked - the user must do it himself.

2. Make sure you only collect the data you need. Everything is simple here - minimize the amount of data that you collect from the user. For example, you can reduce the number of fields, as well as make filling in some of them optional, then this will facilitate the registration process.

3. Make sure that the user can easily manage their PD. It is best if the user's account has a section for managing his personal data.

For example: you create a newsletter that consists of two types of letters - transactional and marketing. The former include system notifications, for example, about order status, password reset, and so on. The latter are optional, they cannot be enabled by default, the user must decide for himself whether he needs information about discounts, promotions, and so on. But marketing emails can be conditionally divided into several categories so that your users can choose, for example, to receive information about discounts, but not to receive announcements of upcoming events.

4. Make sure not to store data from users who no longer use your product. No user - no data, period. True, you can continue processing PD if the operator has other legal grounds for processing.

But what if you don't want to lose contacts? When your user announces that he no longer wants to work with your service, you can offer him the same agreement, only asking if you can save some of his data. Again, write transparently and in detail exactly which ones and for what purposes. For example, you can keep his email in order to continue making mailings.

In the policy, you can prescribe two periods of data storage: one for receiving a product or service, and the other for marketing purposes. And the first can be, for example, two months, and the second - a year since the last user activity.

Outside the purposes of processing, personal data can only be used in the public interest, as well as for scientific or historical research for statistical purposes.

5. Make sure the data is well encrypted and leak-proof. And also warn your users that their personal data will be stored in encrypted form. Data encryption is one of the GDPR recommendations for secure storage of personal data. To protect against leaks, you can, for example, use DLP (Data Loss Prevention). Install an SSL certificate on the site.

6. Be prepared to respond to user inquiries about their PD. In addition, one of the provisions of the Regulation requires human participation on legally important issues (eg recruitment, granting of benefits or courts). Now you won't be able to give everything to the algorithms.

Restrict access to PD to third-party services. At the very least, find out which services have access to your users' personal data and whether they comply with the GDPR. All those involved in the data processing chain must be identified in the privacy policy. In the event that you entrust the processing of PD to a third party, or process PD together with another processor, you must conclude Standart Contractual Clauses (which are concluded if there is a transfer to a partner outside the EU), or Data Processing Agreements with your partners. The need to conclude documents depends on the type of PD processing and on other factors, more details here and here.

7. Take a closer look with the SDK. All packages or external dependencies that your service uses must comply with the Policy.

8. Check your software - is it GDPR compliant? We are interested in matching two parameters - privacy by design and privacy by default. The first is about the fact that the software is developed with respect for privacy, and the second is about the fact that during installation the user is offered the maximum security settings by default.

What else can I do?

The above is just a small list of basic rules that will be useful to everyone. The GDPR is very extensive, it governs a lot of things. For example, if among your users there are children under 16 years old, then their PD can be processed only with the permission of parents or legal representatives.

And than, after the user's consent, I can collect any data?

First, let us remind you once again that not any, but only those indicated in the message about the collection of personal data. And secondly, there is a category of data that cannot be collected under any circumstances (but there are exceptions here, for example, if the user has explicit consent to collect this information):

  • about religious and political preferences;
  • about ethnicity and race;
  • about the state of health;
  • about sexual orientation;
  • membership in various trade unions;
  • biometrics and genetic data to more accurately identify users. Including photographs.

Everything seems simple

So it is, the main thing is to stick to a simple algorithm.

  • Read the GDPR - here is the original.
  • Conduct a detailed audit of all the data that your company collects, make sure that all this data is needed to work, that you collect only the necessary minimum.
  • Develop a clear, understandable and simple message for collecting user consent.
  • Develop a PD management system so that the user always has access to it.
  • Make sure that all software your company uses is GDPR compliant.
  • The same goes for your partners and contractors.
  • Make sure the data is stored in a safe place, that it is encrypted and protected.

That's it, users' data is now safe.