What is GDPR? Everything you need to know about the new EU data protection laws

On the 25th May 2018, the General Data Protection Regulation (GDPR) came into force. This law applies to all companies that process personal data of EU citizens. Even if the companies themselves have nothing to do with the European Union.

We asked Anna Bessmertnaya, a lawyer at JetStyle and Ridero, to explain why this is happening and what needs to be changed on a website in order to comply with European laws.

– Do you know a good adviser on the European law on personal data protection?

– Yes, I do.

– Can you give me their email?"

– No.

The best joke of the last month.

The General Data Protection Regulation has an extraterritorial effect. This means that any company that processes personal data of citizens of any of the European Union countries must comply with its requirements.

Important: if you have an online store or service, a portal or anything that processes personal data of citizens, it's about you.

If people come to you via anonymisers and the system defines them as residents of the EU, this also applies to you.

What is this done for?

The general idea of lawmakers is simple: a person must be able to manage the information that he or she communicates to the world. In the era of absolute digital publicity, it's not so much a way to hide data about yourself (although, this option also exists), but rather an opportunity to understand what some, let’s say food delivery service knows about you and how it uses this knowledge.

Important clarifications of the Regulations:

1. Personal information is now considered any information that allows you to directly or indirectly identify a person. This is not only the name, phone, and address but also an email, cookies, IP-address and even the results of tracking the user's behaviour on the site.

2. Specific personal data relating to information on racial or ethnic origin, genetic and biometric data, religious or philosophical views, sexual orientation or the state of health of the user are placed in a separate group. The processing of such personal data can be carried out only in a limited number of cases and is subject to numerous restrictions.

3. A company, in whose interests the personal data is collected, becomes the personal data operator. The operator must collect all data only upon the user's consent and is responsible in case of violation of the order of processing or data leakage.

4. If a company collects personal data on a permanent basis and this is their key activity (for instance, a mailing list service), the company must appoint a special employee – a data protection officer (DPO). His or her duties include regular monitoring of compliance with the law, conducting briefings and informing the management of the measures that must be taken to protect personal data.

5. If a company that is not registered with the European Union processes the data of EU residents, it must appoint its responsible representative - an organisation or a person who is permanently based in Europe and can represent the interests of the personal data operator.

New rights for users – subjects of personal data

Starting from the 25th May 2018, a user can approach any service with whom he or she has shared any information about themselves, and demand a complete list of their personal data in any convenient form (electronic or paper). Also, the user may request to delete all information about them – in the Russian practice this possibility is called "the right to oblivion” (the right to be forgotten).

What has to be done right now, if you are processing data from EU citizens:

1. Rewrite the privacy policy in simple language so it could be understood by anyone. Ask your mum to read it. If she doesn’t have any questions – you did everything right.

2. In the Policy, carefully list all third-party companies to whom you transfer personal data – from the services you use to send the newsletters, to Facebook, where you run targeted ads. Provide references to their Privacy Policy.

3. Set up a notification that your website is collecting cookies. It must pop up as soon as you enter the site.

4. Add notifications about the collection of personal data on all the forms you use: pop-ups with updates subscription, feedback forms, questionnaires and so on. The "I agree" checkboxes must not be checked by default. This is separately stipulated by the Regulations. The consent of the user must be expressed by, at least, a mouse click.

5. If you process personal data on a permanent basis, appoint a DPO and find a representative in Europe.