IT revolution: new European regulation – GDPR – and its consequences for Russia
The General Data Protection Regulation (GDPR) is a new standard in processing personal data, becoming effective in May 2018. It can also be titled the ‘EU Regulation 2016/679 of April 27, 2016’.
In fact, the GDPR is not amendments to the previous laws, but a revision of the attitude to personal data and their protection. Besides, it is essential to Russian IoT startups as well.
Why it is important to follow the GDPR in Russia
Actually, the GDPR is invalid in Russia. However, if a company has a representative office in the EU or processes data of people with foreign country citizenship, it has to follow this Regulation. It is also significant to providers of goods and services aimed at entering the international market. Ignoring the GDPR, a company limits itself to one country.
Perhaps, the European market is not a target one for the majority of Russian companies, but the GDPR has the potential for worldwide distribution. Therefore, those cooperating with partners from non-CIS or neighboring CIS countries should not be in conflict with these regulations.
Besides, Russia already has a range of organizations following the GDPR: for example, air companies, Russian Railways, travel agencies, and hotels because of working with personal data of foreign citizens. To keep their status, they should select contractors with the same rules. Thus complying with the GMPR in Russia also means an unlimited range of potential partners.
GDPR and Russian IoT startups: changes
Extreme violations of the new EU Regulation include:
- cold newsletters distributed through purchased email address bases;
- transfer of sensitive data in an uncodified way or their registering in logs in pure form;
- impossibility to unsubscribe from newsletters;
- collection of excess information, which is not required for product operation.
A lot of Russian IoT startups, even if they are fair in all the aspects, will have to reconsider their personal data protection policy. The GDPR gives priority to the transparency of data collection and puts user interests over business purposes. Given below are some points to be fulfilled according to the Regulation.
1. Revising the amount of collecting data: you should take away unnecessary data for product operation.
2. Upgrading the website and user regulations: you should add explanations of what data you collect and why.
3. Introducing the data cancellation procedure. According to the new regulation, any user can withdraw their personal information any moment.
4. Developing new instructions for the staff on how to act in case of cyber attack. You should minimize possible harm. With modern IoT devices being an easy target for hackers, this aspect is quite significant.
5. Perhaps, you will have to implement parental consent mechanisms: according to the GDPR, children are allowed to provide their personal data from 13 years (from 15 years in certain EU countries).
New IoT startups should think through all of these points (website architecture, types of collecting data, mechanisms of their protection) at the product development stage rather than after the launch, as it has happened earlier. That’s why the adoption of the GDPR is described as an IT revolution, because it is changing the hierarchy of values.
Denis Lukash, Executive Director at Digital Rights Center and speaker at IoT Conference, explains why the GDPR differs fundamentally from the personal data laws of the Russian Federation:
- The Federal Law No. 152-FZ dd. July 27, 2006, as well as the range of its subordinate acts, is effective within the Russian Federation. The GDPR is a global trend in protecting personal data. It is stricter and more comprehensive than the Law No. 152-FZ and has a scientific value. Currently, the Law No. 152-FZ is allowing the Federal Service for Supervision of Communications, Information Technology, and Mass Media to toughen the law enforcement: for example, the increasing amount of information categories will be considered as personal data, which will result in the introduction of amendments to the national law. The GDPR refers any identifiers and even a combination of social or physiological human factors to personal data.
Due to these differences, we have a problem related to the simultaneous application of GDPR and 152-FZ requirements to one IoT system if the service is technically single for Russia and the EU.