Belarus will get its own “GDPR“ – What companies should prepare for

published on August 12, 2019 | reading time approx. 5 minutes

As GDPR rules have come into force in the EU and also affect business outside its borders, Belarus has found itself in need of updating its own data protection laws to match the business environment. For this reason, Belarusian legislators have been working over several years on the Belarusian Personal Data Law (BPDL) and put it now under review by the Belarusian Parliament. Its anticipated entry into force is planned not earlier than mid-2020. It will be the first Belarusian legal act intended specifically for regulation of personal data protection issues.

As of today, there is no single legal normative act in Belarus, regulating the terms and conditions of personal data protection. Certain provisions are included in several laws as the Law "On information, informatization and protection of information", making it hard to estimate the entire scope of measures which shall be taken with respect to such sensitive data. Furthermore, up to now, there are no mandatory requirements under Belarusian law to report personal data protection breaches either to the state authorities, or the individuals whose personal data are concerned. Belarusian law does not yet provide for any general liability for the breach of personal data protection requirements.

Personal data

According to GDPR, personal data are any information relating to an identified or identifiable natural person that can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Therefore, e.g. also IP addresses are personal data. Belarusian law basically contains the same approach referring to personal data one or several features allowing directly or indirectly to identify a person.

Additionally BPDL distinguishes certain types of personal data, imposing peculiarities with regard to handling of such data:

Biometric personal data – information describing the physiological and biological characteristics of a person, based on which such person can be identified (fingerprints, palmprints, face characteristics, image, etc.);
Genetic personal data – unique and permanent information concerning the genetic heritage and (or) human DNA code, based on which such person can be identified;
Special personal data – personal data relating to race or nationality, political opinions, religious or other beliefs, health or sexuality, criminal records, as well as biometric and genetic personal data.

Processing of personal data

Both the GDPR and the BPDL regulate the collection, storage, processing, dissemination and transfer of personal data whether or not by automated means.

The GDPR sets out seven key principles for processing personal data:

Lawfulness, fairness and transparency, i.e. the processing of data requires a legal basis. The data subject must be informed of what happens to the data.
Purpose limitation, i.e. the purpose of the data processing, must already be established at the time of the collection of personal data, must be unambiguous and legitimate.
Data minimisation, i.e. personal data must be proportionate and substantial to the purpose and limited to what is necessary for the purposes of processing. This means, for example, that registration for a newsletter must be limited to the email address and, if applicable, gender and surname as mandatory fields.
Accuracy, i.e. data must be correct and up to date. Incorrect data must be corrected or deleted immediately.
Storage limitation, data must be deleted if it is no longer needed for the purpose of processing.
Integrity and confidentiality (security), i.e. protection against unauthorised or unauthorised processing, in particular passing on to unauthorised third parties, must be guaranteed.
Accountability, i.e. companies are obliged to provide evidence to the supervisory authorities about compliance with above mentioned principles.

Belarusian Data Protection Law follows the same basic key principles, stipulated by the GDPR.

Measures to be taken with regards to processing of Personal Data

Some instruments from the GDPR were taken up in similar way into the Belarusian data protection law, e.g.:

Requirement of data subject's consent for data processing
Requirement to provide notification in case of a data breach
Particularly strict handling of data transfer across borders
Obligation for companies to appoint a person responsible for personal date (similar to the GDPR data protection officer)

Data operator

Belarusian law does not distinguish between "data processor" and "data controller" as GDPR does. Under Belarusian law, there is only the so-called "operator of personal data". Operators of personal data can be all entities including individuals handling personal data, hence making them subjects to compliance. This is not limited to Belarusian residence, i.e. any foreign companies processing personal data of Belarusian citizens are falling under this definition. Excluded from the sphere of regulation are only private individuals handling personal data for private, family or other similar purposes having no relation to any professional or entrepreneurial activity. Therefore all companies, from small businesses to large enterprises shall be aware of the requirements of the BPDL and be prepared to comply with it. In addition to Belarusian companies, it is important to note that any company that markets goods or services to Belarusian residents, regardless of its location, is subject to Belarusian regulations.

Consent: Opt-In required

Both GDPR and the Belarusian Data Protection Law require an opt-in consent, which must be obtained in advance. With the opt-in procedure, the data subject must actively express its consent for the processing of personal data. This is often done by checking the box „Yes, I agree to the processing ..." in a web form. Opt-out, on the other hand, works exactly the other way round: a company assumes that a person consents to the processing, unless it specifically objects to this procedure. Then it removes the tick.

Previously Belarusian regulations prescribed only a written form of the consent of the individual, i.e. consent executed on paper. Finally the new Belarusian regulation does not limit such form of consent to a written form, specifying all kinds of modern means of consent, providing such consent is being a clear affirmative act, establishing a freely given, specific, informed and unambiguous indication of the agreement to the processing of personal data.

Key preconditions for “handling” personal data

The operator will have to take adequate legal, organizational and technical measures to ensure the protection of personal data from unauthorized or accidental access to them, deletion, modification, blocking, copying, provision, dissemination, as well as from other illegal actions in relation to personal data. Along with those general formulations, Belarusian law gives also the precise list of mandatory measures to be taken for the sake of personal data protection.

Mandatory measures include the implementation of technical and encryption measures. This may lead to the requirement to design, create and exploit special information systems for processing of personal data.

Such information system further need to be certified by special licensed companies authorized to perform certification services and supervised by the Operational Analytical Centre under the President of the Republic of Belarus. The overall process itself may turn out to be rather time-, effort-and money- consuming.

For many companies, the first step in complying with the Belarusian Data Protection Law is to assess which system of measures shall be taken to construe a data protection system, adequate to safeguard personal data and hence meet the requirements of the law. Once compliant, it is important to stay informed of changes to the law and enforcement methods.

The Belarusian draft law forces companies to designate a natural person who is responsible for the processing of personal data. Even if this person resembles GDPR's data protection officer at first sight very much, this has however clearly smaller powers. This person is mostly responsible for the coordination of the process of collecting, processing, disseminating and transferring of personal data. Along with such person in charge, all employees handling personal data shall be subject to compliance and duly acknowledge all the applicable regulations including the internal documents of the company.

Immediate breach notification

For the first time, data breach notifications were given a large role in the new Belarusian regulations. BPDL imposes an obligation of immediate, in any case not later than within 72-hours, notification of the competent authority on data breaches.

Liability for non-compliance

Companies that are not compliant with the regulation on personal data will be subject to penalties and fines. The BPDL itself does not specify the amount of fines, but mentions the following types of liability:

administrative fine in accordance with Belarusian regulations
compensation of losses and damages
compensation of moral harm caused to the subject of personal data as the result of the violation of rights (indemnification of moral harm is carried out regardless of the indemnification of losses and damages)

As of today, Belarusian development in the sphere of liability for non-compliance is not as severe as under GDPR regulations, where the amount of penalties can be up to 20 million Euros or 4 percent of the violating company's global annual revenue depending on the nature of the violation.

In the case of non-compliance the authorities use furthermore sanction instruments as warnings or blocking of websites that are not compliant.

Although the threatening sanctions look clearly smaller than in the case of the GDPR, it is essential to observe the regulations and take certain measures.

Furthermore, the reference to "administrative fine in accordance with Belarusian regulations" does not limit the supervisory authorities in issuing amounts of fines – it will be rather based on the specific circumstances and the significance of the inflicted damages in each individual case.

Conclusion

The new BPDL shows that Belarus is taking great steps forward to harmonize data privacy regulations with those already used within the European Union. The universally acknowledged practices and approaches find due reflection in the new BPDL.

In view of the fact that the new law lays down the basic principles and framework of the process of handling of personal data, in the short term the legislators will develop more instruments concerned with isolated issues of personal data protection.