Collecting Personal Data from Users in the EU: What You Need to Know and How to Prepare
Any company whose practices include the collection, storage, and processing of personal data from users in the EU must comply with regulatory requirements. In the event of noncompliance or violations of these regulatory statutes, companies can face severe penalties, fines, and sanctions.
In Europe, any activities involving the personal information of identifiable natural persons (data subjects) must comply with the EU’s General Data Protection Regulation (GDPR), the general regulatory framework governing the protection of personal information belonging to users. Businesses need to be prepared to adapt, test, maintain, and demonstrate compliance with these ever-evolving EU requirements.
Personal Data Protection can be a difficult regulatory environment to navigate, so let ITGLOBAL.COM support your GDPR compliance efforts. An excellent example of the GDPR compliance services we offer is the following compliance audit ITGLOBAL.COM conducted for Whoosh, a technology-focused transportation company specializing in urban micro-mobility solutions for the EU market.
Client Company Infrastructure and Organization of Data Storage
Whoosh’s personal data collecting and processing infrastructure consisted of a cloud-based sharing platform connecting user and service mobile applications as well as IoT modules. This is essentially the “heart” of an electric scooter, collecting and transmitting data about the condition of the device, its location, charging status, and up-to-date information about the current trip. This is in addition to sharing with external vendors, service providers, and partners, including insurance and processing services, which can also handle personal user data.
Whoosh also operates a raft of internal services including email, ERP, and several other classic corporate services. Each of these in-house services involves the handling of personal data, making them also subject to evaluation by regulators.
The largest intake of personal user data into the system occurs during the registration of new users. In this case, information about users is stored on servers associated with the country in which the service operates. For example, information belonging to Whoosh’s European users is consolidated on servers located in Ireland. Once the data is thus registered, it can be passed on to partners for processing or use by insurance and analytical services.
How the Infrastructure Audit Was Conducted
Before initiating operations in a new country, it is recommended to bring infrastructure and business processes into compliance with local legislation with the help of experts in this field. These third-party professionals help firms identify compliance shortcomings associated with entering a new regulatory environment so that they can be quickly corrected.
The GDPR or General Data Protection Regulation allows authorities in the European Union to establish uniform requirements for the protection of personal data. These requirements are also relevant for companies seeking to enter countries in the market, as they control the export of personal data outside of the EU. As written, the purpose of the GDPR is to give EU citizens greater control over their personal data by unifying and reinforcing data protection for all individuals that reside within the EU.
Whoosh began offering its service in the European market in 2022, making a GDPR audit a necessary and logical step towards ensuring its compliance with European privacy regulations. A GDPR compliance audit concentrates on the following:
- Assessment of the applicability of GDPR requirements and local legislation to the client’s activities.
- Analysis of the current state of client infrastructure and processes.
- Preparation of recommendations for the introduction of regulations taking into account business plans for development.
- Consulting on the implementation processes.
Our experience has shown that in the case of European legislation, it is best to begin with a granular analysis of the client’s operations in the search for elements of noncompliance, during which the auditor evaluates the information security of the company’s business processes and, if violations are found, develops recommendations for harmonization of these processes with regulatory requirements. This assessment also examines how the client collects, stores, and processes customer personal data. And at the final stage audits these processes for compliance with GDPR and local laws pertaining to countries in which the company plans to expand operations. For example, in the case of Whoosh, our client eventually expanded its services into Portugal, Hungary, Poland, and several other countries.
Bringing Whoosh Into Compliance – The Results
ITGLOBAL.COM experts conducted a detailed audit of regulatory documents pertaining to the processing and protection of information, and IT infrastructure consisting of cloud-based corporate services (including e-mail, data storage, internal systems for control of scooters and IoT devices, etc.). Whoosh’s services and business processes involving the processing of personal data were then objectively assessed for their compliance with GDPR and local legislation pertaining to the specific EU Member States in which Whoosh operates. The result was then presented in the form of a report that:
- Outlined compliant data flow diagrams.
- Provided analysis according to each paragraph of the relevant regulations and legislation pertaining to the selected EU country.
- Offered recommendations for the rectification of non-compliant processes and services.
This document provided a detailed outline of the actions Whoosh needed to undertake to resolve inconsistencies between their activities and relevant regulatory regimes identified in the course of the audit. Consequently, the preponderance of comments in the report were concerned with regulations governing personal data handling as opposed to addressing technical questions.
Our audit also identified a need to provide Whoosh with more comprehensive internal regulatory, organizational, and administrative documentation concerning personal data processing and security, which IT.GLOBAL.COM subsequently developed and implemented for our client. IT.GLOBAL.COM’s proactive work with clients like Whoosh clearly demonstrates the advantages of our collaborative approach for firms seeking to enter robust regulatory environments such as the EU.
In the words of IT.GLOBAL.COM Managing Director for Audits and Information Security Alexander Zubrikov: “Whoosh brought its business processes and infrastructure into compliance with GDPR regulations (particularly local regulations set by European Union countries in which Whoosh planned to launch services), before initiating the actual processing of protected personal data. Accordingly, any risk of personal data leakage and thus possible violations of the rights of EU citizens was minimized”.
What Should Companies Do if They Are Just Now Entering the European Market?
It is worth remembering that the tips and materials in this article are relevant only to companies that work with protected personal user data. The best place to start is by getting the lay of the land through research, reading up on relevant legislation, consulting specialists, and assessing the existing requirements for the market your company seeks to enter. Following that, there are two main options for data storage:
- A company can incorporate an expert into their team who is knowledgeable regarding EU regulations governing personal data storage and processing for EU users.
- The company can engage a consultant experienced with regulatory issues surrounding EU data security legislation.
The requirements set out by EU data laws and regulations are far from simple. Compliance with these regulations is possible, but if a company can gain a tailored picture of what needs to be addressed and in what order, the work of bringing its processes and services into compliance will be completed much more quickly and efficiently. Such a process takes time, but with the right help, this hurdle is surmountable by any business.
As regards any foreign market, the preparatory steps necessary to launch operations in another country are broadly similar to those described above. However, it is worth remembering that violations of the GDPR can bring with them truly draconian fines, meaning that expansion of services into EU countries brings with it the necessity of careful compliance with EU regulatory requirements. The costs of non-compliance can be serious. Indeed, the maximum possible fines that can be levied under EU legislation can amount to 20 million euros or 4% of the company’s annual revenue depending on which amount is greater.
The GDPR, specifically Art. 25 (1) GDPR, is less specific in respect to its application to technical systems, but implies a reasonable approach in accordance with the current level of scientific and technological progress, implementation costs, and risks occurring during the processing of personal data, as well as the nature, scale, context and purpose of processing protected personal user data. That is, an organization has the flexibility to determine for itself what security measures to implement (with the exception of encryption, data recovery, and regular inspections). However, the onus of responsibility for compliance by companies under this approach is greater than when compared with the checklist of regulatory requirements set by regulatory authorities in Russia.” – Anastasia Gainetdinova, information security auditor ITGLOBAL.COM Security.
The risk of falling under investigation in the EU is normally not high, but the regulatory consequences an inspection may bring means that compliance remains an important consideration. While it is unlikely that the regulator will conduct an audit on its own initiative, this possibility nonetheless should not be excluded entirely. In many cases, inspections are initiated as the consequence of user complaints. For example, a user may complain that they are unable to delete their data from your system. In such a case they can turn to DPO companies in the EU, after which the chances of an inspection increase exponentially.
Consequently, it is imperative to segregate user data, because the regulatory requirements governing their handling and processing vary from jurisdiction to jurisdiction, as for example data security regulations in the EU and in the US differ significantly. If these requirements are not met, the company committing violations will face fines, ultimately causing the “responsible” organization to suffer losses.
In general, European laws are aimed at countering and preventing data leaks and/or misuse. However, it is particularly important to note that in the case of the GDPR, EU legislation provides for criminal liability in the case of significant violations of EU data protection laws.
The Company’s Activities and Responsibilities
EU regulatory requirements differ based on data categories. As such, simplifying the task of compliance requires an intelligent approach to collecting protected user data. By proceeding from the principle of minimum information instead of a blanket approach to the collection of user data, a company works only with the personal data that it actually needs, thereby reducing the number of categories and thus the complexity of the task of ensuring compliance in the handling, processing, and storage of protected data.
In conclusion, it is worth stating that it is not enough to simply hope that regulators will never pay attention to your company. Instead, it is far better to robustly prepare for regulatory inspections, so that later they will not result in excruciatingly painful regulatory consequences for noncompliance. Of course, proactive compliance requires you to dedicate resources, including time and money, but in the case of a robust regulatory environment like the EU market, the investment is well worth it. The sober reality of operating out of compliance with GDPR user data protections means that if you get inspected without being prepared, your company can expect to face serious sanctions from EU regulators.