Complying with the GDPR in Russia

General Data Protection Regulation

The GDRP’s impact on Russian business

In May 2018, the General Data Protection Regulation (GDPR) came into effect. The GDPR represents an extensive revision of European legislation. It details the rights of personal data subjects and the responsibilities of data controllers involved in personal data processing and protection based on state-of-the-art technology.

The GDPR covers companies operating in the 28 EU countries, as well as any business regardless of its location.

Russian businesses must understand that complying with domestic law does not automatically ensure compliance with the GDPR, as the EU legislation includes a number of new processes and requirements.

All individuals in the EU have the right to personal data protection under the GDPR, irrespective of their citizenship. We recommend that Russian businesses operating in the EU or cooperating with European partners carry out an assessment of whether their operations fall under the scope of the GDPR.

The GDPR should apply if the business meets at least one of the following criteria:

The business operates in the EU through a branch, affiliated company, partner company, agent or representative and, as part of this activity, it obtains and processes personal data.

The business provides goods or services to individuals who are in the EU and processes personal data within the scope of its operations.

The business monitors the behaviour and activity of individuals located in the EU. Among other things, monitoring may involve cookies, video, geolocation data or health data.

Is your company obliged to comply with the GDPR?

We have developed a short test to help you determine whether your company needs to comply with the GDPR.

Take the test

Key GDPR novelties

1. Extraterritorial effect and direct application

The GDPR covers not only data controllers in the EU, but also businesses in any country that target individuals who are in the EU. The GDPR does not require the adoption of relevant regulations at the national level and applies directly to data controllers.

2. New data protection principles

The data protection by default principle requires companies to embed the GDPR’s requirements into the design of their data processing operations. In order to comply with the data protection by design principle, data controllers must monitor GDPR compliance in the course of change management in their business processes and information systems.

3. Retaining evidence of GDPR compliance

The GDPR requires controllers to document and ensure the availability of evidence demonstrating that all applicable data processing and security requirements are being followed.

4. Amending requirements for data processing consent

Consent is one of the legal bases for personal data processing under the GDPR. When receiving consent, the data controller must ensure that the consent is freely given, specific, informed and unambiguous. In certain cases, the data controller must inform the data subject of the risks related to data processing and of the mitigation measures that have been put in place.

5. Prompt notification of personal data breaches

The GDPR obligates data controllers to inform data subjects and the supervisory authority of any security incidents related to personal data. The notification period must be reasonable. The supervisory authority must be informed of any data breach within 72 hours from the moment when the data controller became aware of the security incident.

6. Performing a data protection impact assessment (DPIA)

The GDPR defines particular cases where the data controller must carry out a data privacy impact assessment (DPIA) in the course of designing personal data processes. According to the DPIA results, if the data processing poses a high risk to individuals, the data controller must consult the regulator prior to beginning processing.

7. Fines for GDPR violations may reach EUR 20m or 4% of annual turnover

The maximum fines for violating the GDPR have been raised to EUR 20m or 4% of annual turnover, whichever is higher.

Five success factors for responding to data subject requests

With the GDPR in force, individuals have more opportunities to exercise control over the use of their personal data. The GDPR lays down the rights that individuals may exercise by filing a relevant request with a data controller.

Learn more

The role of technology in personal data protection

The GDPR has introduced new principles for personal data processing and security—data protection by design and data protection by default. These principles will require companies to rethink their approaches to selecting and implementing data processing technology and change management.

Learn more

How can PwC help?

Our team performs GDPR projects for Russian and foreign businesses. We provide the following GDPR services:

Identifying the scope of GDPR                                         
We will review the company’s business processes, internal regulations and personal data processing technology and assess the applicability of the GDPR to your company.

Minimising the scope of GDPR                       
Taking into account the nature of the company’s business, we will determine how to reduce the scope of the GDPR’s applicability based on personal data processes and data processing technology tools that we identified at the review stage.

Assessing the GDPR compliance
We will assess personal data handling processes for their compliance with the GDPR, as well as identify and prioritise the company’s key GDPR-related risks. Based on the results of our assessment, we will develop recommendations on how to bridge the gaps we identified.

We will hold trainings on the basics of the GDPR and the importance of GDPR compliance for the company’s employees and management, and run workshops on issues relevant for the company.

Expert support for the company’s transformation
We provide expert support to companies that are planning to implement business process transformation in accordance with the GDPR or are already undergoing such a transformation. We help plan and conduct employee awareness events, develop internal regulations and third-party contracts, and implement modifications in personal data processing technology.

Supporting personal data processing and protection activities
We provide advice to employees throughout daily data processing and protection activities. We carry out one-off or regular reviews of the GDPR compliance and can develop a GDPR internal audit plan.

Developing a road map for aligning activities with the GDPR
We will develop a detailed road map outlining your future steps to align your personal data processing operations with the GDPR. At the client’s request, the road map can include an estimate of the project time line, as well as determine the individuals responsible and assign priority to our recommended steps.

Contact us

Vitaly Sokolov

Vitaly Sokolov

Partner, Risk Assurance, Cybersecurity Leader, PwC Russia

Tel: +7 (495) 967-61-53

Maxim Kandyba

Maxim Kandyba

Partner, Head of Banking and Finance, Bankruptcy, Intellectual Property and IT, Commercial Disputes, PwC Legal, PwC Russia

Tel: + 7 (495) 232 5713

Artem Dmitriev

Artem Dmitriev

Senior Associate, IP, Technology and Data Protection practice, PwC Russia

Tel: +7 (495) 967 6000 доб. 4315

Mikhail Kurzin

Mikhail Kurzin

Director, Cybersecurity, PwC Russia

Tel: +7 (495) 223 5040

Elizaveta Dmitrieva

Elizaveta Dmitrieva

Senior Consultant, Personal Data Processing and Protection Services, PwC Russia

Tel: +7 (495) 967 6000, ext. 3821

Follow us