The World Wide Web is on the verge of big changes. On May 25th, Regulation (EU) 2016/679 of the European Parliament – General Data Protection Regulation (GDPR) – goes into effect. It defines new rules for obtaining, storing, processing and using personal data. It will certainly affect e-tailers as well as search systems, social media and, of course, payment processing companies as well.
Bilderlings dives into the nuances of the upcoming changes.
In short: EU residents are getting a wide range of opportunities for total control over their personal data. In fact, proprietary rights are now effectively applicable to these data.
Previously, the EU Data Protection Directive adopted in 1995 had a similar function in the European Union. But the difference between a directive and a regulation is that the latter is a document of direct action. That is, while a directive stipulates the necessity of introducing amendments to the national legislation of the EU countries so that every country can deal with the issue in its own way, a regulation is directly effective in all 28 countries of the European Union. And not only in these countries.
A European document – and the world’s also
If EU residents’ personal data are used in a company’s activities – even if that company operates outside of the EU – then it must organize its activities in correspondence with GDPR. Most significantly, the whole chain of the company’s business partners must meet these requirements as well.
For example, from now on any Chinese online shop that systematically offers goods or services to EU residents must operate in accordance with GDPR. The emphasis here is on “systematically”. This means that the company is actively reaching a specifically European target group of customers, offering them products in their national languages, using national currencies or the euro, and conducting business via top-level national domains of the EU.
If the aforementioned Chinese shop is technically focused exclusively on China, even if its website has an English version, compliance with GDPR is not required. Any customer from within the EU can place an order with this company. He will most likely receive quality goods and services, but in such cases has no rights with regard to any personal data provided.
Companies operating in this way, however, will be the de facto losers in the competition. Firstly, they won’t have direct access to the European market. And secondly, they will lose potential business partners who are following compliance with the rules of the new regulation in their businesses.
GDPR rules must also be followed if an institution is carrying out sociological, marketing or any other sort of monitoring in which personal data are used, on residents of the EU or within its territory, including the Internet.
This suggests that the document does in fact have an extraterritorial character and, in the end, will inevitably affect online activities all over the world. Violation will incur substantial fines: up to 20 million euros or up to 4 per cent of the violating company’s annual turnover.
Only what’s essential
Personal data is a fairly broad concept. Firstly, this is a type of information that directly identifies a person. Secondly, this is a type of information that makes identification possible with a high degree of probability. Thirdly, this is a type of information that relates to the identified person (for example, details of his financial standing and private life). Information about financial operations, education, beliefs, sexual identity, etc., including e-mail addresses, can be included as well.
It is still not clear within what limits this concept will be formalized by the GDPR in actual administrative practice. It is similarly difficult to say what will happen with artificial intelligence systems on which the BIG DATA system, already familiar and convenient for many, is based.
According to the new regulation a company from now on shall be obliged:
– To obtain preliminary, explicit consent from a subject for processing of his personal data. Moreover, the person must be informed as to how this information will be used.
– The minimum necessary amount of personal data should be collected; data are to be used only and exclusively for the stated purposes.
– Information should be kept in a form which permits identification of data subjects for no longer than the term of achieving these purposes.
– Information that can identify a person should be kept separately from all other personal information.
– In case of a database breach or any other data theft authorities and users must be notified within 72 hours.
– Every large organization should introduce a Data Protection Officer position.
In every country a corresponding structure should be created: a national regulator for personal data. A list of national regulators for the EU countries is already available online.
The right to be forgotten
A data subject (natural person, resident of the EU), in his turn, from now on has the following rights:
To obtain information on where, how, for how long and for which purpose their data are processed and which third parties have access to them.
To inquire as to where the company obtained his personal data and to change them if necessary.
The “right to erasure” or “right to be forgotten” that was included in the previous Directive has been further developed. This means that, at the request of an EU resident, all his personal data must be deleted from databases and search system results – but only when these data are of no social consequence and the erasure does not violate fundamental human rights.
This right has a more narrow, specific character in regards to the operation of payment processing companies, and Bilderlings in particular. For example, a client’s data must be deleted from a current database in case of a contract’s termination or otherwise ending. Similarly, in case of any suspicion a client can inquire into what kind of data are kept in our database, how they were obtained and to whom they could be passed. We are obliged to provide a response within 30 days.
One of the GDPR’s innovations is a right to data portability. At the data subject’s request, his personal data must be passed to a third party at no charge. For a payment processing company this can become necessary when, for example, a client switches to another company.
Protection of minors’ rights is specifically stipulated in the document. Every country sets an age limit independently, within the range of ages 13-16. Before this age, personal data processing is possible only with the consent of minors’ parents or their legal substitutes.
In total the regulation contains 260 pages, so to cover all of its aspects and nuances in detail in the space of a short article would be impossible. Without a doubt, many companies will need to seriously revise their software.
However, payment processing companies have traditionally paid close attention to protective measures concerning the financial and personal information of their clients. There is PCI DSS standard that conforms to the highest level of data protection. In fact, it guarantees meeting all of the GDPR requirements, and we are pleased to note that Bilderlings complies with this standard.
In the meantime, the world’s software developers have not been sitting idly for the two years that have been passed since adoption of GDPR. As an example Microsoft has embedded GDPR Compliance Manager into its Office 365, a business-class, cloud-based software product.
This app, as follows from its name, is designed for checking the compliance of data processing in an organization with the requirements of the EU regulation. It is available to all Office 365 users, including our company. The app offers all of the necessary instruments and analyzes documents that are copied into it. The result comes back either as a list of recommendations, or as a statement of your company’s compliance with GDPR requirements.
“Of course, new security measures complicate the activities of companies that work with finances. Previously, we cared primarily about our clients’ money, and all the rest was like an additional guarantee on our part, but now the scope of responsibility has expanded. Money and clients’ personal information are becoming effectively equivalent. But we have been ready for this,” — says Sergey Kravchenko, head of the information security department of Bilderlings.