General Data Protection Regulation
In May 2018, the General Data Protection Regulation (GDPR) came into effect. The GDPR represents an extensive revision of European legislation. It details the rights of personal data subjects and the responsibilities of data controllers involved in personal data processing and protection based on state-of-the-art technology.
The GDPR covers companies operating in the 28 EU countries, as well as any business regardless of its location.
Russian businesses must understand that complying with domestic law does not automatically ensure compliance with the GDPR, as the EU legislation includes a number of new processes and requirements.
Dmitry Biryukov talks about the new requirements of the GDPR
All individuals in the EU have the right to personal data protection under the GDPR, irrespective of their citizenship. We recommend that Russian businesses operating in the EU or cooperating with European partners carry out an assessment of whether their operations fall under the scope of the GDPR.
The GDPR should apply if the business meets at least one of the following criteria:
The GDPR covers not only data controllers in the EU, but also businesses in any country that target individuals who are in the EU. The GDPR does not require the adoption of relevant regulations at the national level and applies directly to data controllers.
The data protection by default principle requires companies to embed the GDPR’s requirements into the design of their data processing operations. In order to comply with the data protection by design principle, data controllers must monitor GDPR compliance in the course of change management in their business processes and information systems.
The GDPR requires controllers to document and ensure the availability of evidence demonstrating that all applicable data processing and security requirements are being followed.
Consent is one of the legal bases for personal data processing under the GDPR. When receiving consent, the data controller must ensure that the consent is freely given, specific, informed and unambiguous. In certain cases, the data controller must inform the data subject of the risks related to data processing and of the mitigation measures that have been put in place.
The GDPR obligates data controllers to inform data subjects and the supervisory authority of any security incidents related to personal data. The notification period must be reasonable. The supervisory authority must be informed of any data breach within 72 hours from the moment when the data controller became aware of the security incident.
The GDPR defines particular cases where the data controller must carry out a data privacy impact assessment (DPIA) in the course of designing personal data processes. According to the DPIA results, if the data processing poses a high risk to individuals, the data controller must consult the regulator prior to beginning processing.
The maximum fines for violating the GDPR have been raised to EUR 20m or 4% of annual turnover, whichever is higher.
With the GDPR in force, individuals have more opportunities to exercise control over the use of their personal data. The GDPR lays down the rights that individuals may exercise by filing a relevant request with a data controller.
The GDPR has introduced new principles for personal data processing and security—data protection by design and data protection by default. These principles will require companies to rethink their approaches to selecting and implementing data processing technology and change management.
Our team performs GDPR projects for Russian and foreign businesses. We provide the following GDPR services:
Identifying the scope of GDPR
We will review the company’s business processes, internal regulations and personal data processing technology and assess the applicability of the GDPR to your company.
Minimising the scope of GDPR
Taking into account the nature of the company’s business, we will determine how to reduce the scope of the GDPR’s applicability based on personal data processes and data processing technology tools that we identified at the review stage.
Assessing the GDPR compliance
We will assess personal data handling processes for their compliance with the GDPR, as well as identify and prioritise the company’s key GDPR-related risks. Based on the results of our assessment, we will develop recommendations on how to bridge the gaps we identified.
We will hold trainings on the basics of the GDPR and the importance of GDPR compliance for the company’s employees and management, and run workshops on issues relevant for the company.
Expert support for the company’s transformation
We provide expert support to companies that are planning to implement business process transformation in accordance with the GDPR or are already undergoing such a transformation. We help plan and conduct employee awareness events, develop internal regulations and third-party contracts, and implement modifications in personal data processing technology.
Supporting personal data processing and protection activities
We provide advice to employees throughout daily data processing and protection activities. We carry out one-off or regular reviews of the GDPR compliance and can develop a GDPR internal audit plan.
Developing a road map for aligning activities with the GDPR
We will develop a detailed road map outlining your future steps to align your personal data processing operations with the GDPR. At the client’s request, the road map can include an estimate of the project time line, as well as determine the individuals responsible and assign priority to our recommended steps.
Partner, Risk Assurance, Cyber Security Leader, PwC Russia
Tel: +7 (495) 967-61-53
Partner, Head of Banking & Finance Law Practice PwC Legal, PwC Russia
Tel: + 7 (495) 232 5713
Assistant Manager, Risk Assurance, Personal Data Protection, PwC Russia
Tel: + 7 (495) 967 6000, ext. 2732
Senior Associate, IP, Technology and Data Protection practice, PwC Russia
Tel: +7 (495) 967 6000 доб. 4315