General Data Protection Regulation
The GDPR compliance is one of the main principles of our relations with customers. GDPR was created to strengthen the protection of user data. Following the GDPR is key to a successful interaction with consumers. The regulation was adopted in 2018. Therefore, some users know quite a bit about it. We will help you understand this issue in more detail and clarify all the nuances of the GDPR.
The GDPR is a document that regulates the relationship between users providing their personal data and organizations that collect and process this information.
The regulation came into force on May 25, 2018. The previous official document governing the security of personal data of users was the EU Data Protection Directive, which has been in effect since 1995.
The GDPR grants users the rights to manage the personal data collected by the company. Persons or organisations can get the necessary information by making a special request.
The key players in the regulation are controllers and processors. Controllers are companies or organisations that collect user data. Processors are the companies that process this information on behalf of the controllers.
According to the regulation, the following information is considered personal data:
- the name of the person, his or her home and work addresses;
- mobile and home phone number;
- number of any identity document (passport, health insurance, driver's license, etc.)
- financial information (bank cards, electronic financial accounts);
- health information;
- the racial and cultural identity of the user;
- IP address, cookies, etc.
These are just a few basic types of information. The full list is presented in the text of the regulation.
Every organisation must record all requests and ensure that user data is securely protected. The new rule applies to all European companies, as well as commercial organisations from other countries providing services to citizens of the European Union.
The methods of personal data protection are based on seven principles that have been developed and improved gradually by the European community since the 80s of the 20th century.
- Transparency, fairness and legality. The data must be collected in a legal way. Organisations cannot transfer and process personal information without the user's knowledge.
- Purpose of data processing. The purpose of collecting and processing information must be indicated clearly. The data cannot be used for illegal purposes.
- Minimisation of data volume. Companies can collect only the required amount of data. It is forbidden to use information about users that do not relate to the subject and purpose of the analysis.
- Accuracy of information. Personal information must be as accurate and truthful as possible. If the collected data turned out to be erroneous, the person has the right to correct it.
- Terms of storage. The information should be removed after processing.
- Privacy. Organisations collecting and processing data are responsible for their confidentiality.
- Accountability. Controllers and processors should be ready to confirm compliance with the measures outlined above.
According to media reports, after the adoption of the regulation, some companies took the audit of their resources for compliance with the GDPR requirements rather irresponsibly. As a result, many firms were forced to pay substantial fines. For example, such large companies as Google and British Airways have been charged significant sums due to non-compliance with new norms.
The amount of a fine depends on the scale of damage to the confidentiality of users. For example, British Airways experienced a data breach (information about 500,000 customers). The firm had to pay over 200 million euros in fines. The sum of the deduction can make up to 2% of the annual turnover of all company’s branches.
Therefore, to avoid financial and legal problems, organisations must be prepared to work with their customers following the GDPR principles. First of all, it is necessary to conduct an audit and assess whether the firm is ready to ensure the protection and confidentiality of user data.
In addition to the initial audit of the company, it is also essential to conduct regular checks every 6-12 months to identify the company’s weaknesses and mistakes.
There are two ways to conduct an audit — with the involvement of experts and independently. In the first case, entrepreneurs should turn to reliable audit companies that have earned a good reputation in the EU countries.
To conduct an independent audit, it is necessary to hire a special employee who will conduct regular checks. This approach implies a fairly large financial investment. However, it guarantees the safety of interaction with customers.
Another type of audit is the assessment of the organisation by the regulatory authorities. As a rule, such checks are irregular. They are carried out selectively.
Rosloto has been working with clients from European countries for many years. We follow the new rules adopted in 2018 with the utmost responsibility. Our company has done everything possible to create a secure environment for working with clients' personal data.
Rosloto has taken the following measures:
- Rosloto collects and processes personal data for communication with customers and the provision of services. We do not disclose confidential information about our users.
- Customers have access to their personal data. They can make any changes to the provided personal information on their own.
- Payment data of users are reliably protected using encryption technologies.
The main obligation of Rosloto is to protect the privacy of users. The use of modern security systems ensures the safety of users' personal information.
Besides, we collect and analyse reports on external requests and attempts to obtain personal data illegally. Based on the results, we make a decision to amend the security mechanisms of the Rosloto company (to increase the level of security, to use new tools or abandon ineffective methods).
The team of programmers constantly tests the reliability of security systems to prevent information leakage. In addition, we work with experienced lawyers who help us operate in accordance with the GDPR and protect the interests of our clients.
We are open to the supervisory authorities of the European Union countries and are ready to provide information on external requests and our protective mechanisms.
Rosloto informs other organisations that process personal information of users of our company about the importance of maintaining privacy and possible penalties in case of deviation from international standards.
Our organisation establishes a clear algorithm for working with personal information for each case. This list of actions is specified in the contract. We understand the full responsibility for deviations from this algorithm, the use of additional tools and the performance of inconsistent actions.
According to the GDPR, Rosloto clients are controllers. The purposes and methods of information processing are determined by the controllers. In accordance with above GDPR rules, controllers must transfer their data to processors guaranteeing complete privacy and protection of personal information.
Like processors, controllers are responsible for the confidentiality, truthfulness, and legality of the presented information. It is forbidden to transfer data about third parties without their consent. Information provided by controllers must be reliable and should not violate the laws of a particular state.
Based on the provisions of the GDPR, EU citizens have the right to consent or refuse the collection of their personal data. They also have the right to delete and change personal information that is collected by various organisations. Compared to the EU Data Protection Directive (1995), the new regulation gives more freedom to users.
People received the following rights:
- to know the purpose of collecting and processing information;
- to access personal data and to have the opportunity to manage it;
- to refuse the collection and processing of information;
- to challenge the collection and processing of data;
- the opportunity to transfer information from one resource to other services.