A few things about myself

I studied law at Kazan State University and then obtained a Master of Laws in American and European Law at Pericles LL.M. I’m currently studying at Maastricht University (Netherlands) in an advanced Master’s programme in data protection, cybersecurity and data management. In October 2019, I joined Inchcape as Legal Business Partner for Northern Europe and Russia. Currently, I am responsible for legal and regulatory compliance in Europe and also serve as the Data Protection Officer (DPO) for Europe. Prior to joining Inchcape, I worked for the Sochi 2014 Olympic Winter Games Organising Committee, law firms and in the banking sector.

What does data privacy really mean?

Data privacy is all about having greater control over how your personal data is gathered, stored and used. It is relevant both for the company processing the data and for individuals. Data privacy means you can decide who has access to your data, why it’s being used, where it’s stored, and whether all relevant organisational and technical measures are employed to secure it. Put simply, it’s a system that ensures private data stays private.

What is the origin of the Data privacy regulations?

The foundation for data privacy and data protection goes back to the 1950s and the establishment of the European Convention on Human Rights. Part of the convention ensured that everyone had the right to privacy, regardless of who they were. The introduction of the GDPR has enhanced the existing  legislation and brought it up to date, emphasising safeguarding personal data in the digital age, where challenges are very different from those faced fifty years ago.

The current General Data Protection Regulation (GDPR) has been in effect since May 25, 2018, and is recognised as the world’s most stringent privacy and security law. Individuals or organisations that breach its privacy and security regulations can face penalties, potentially running into tens of millions of Euros.

Does GDPR apply outside the EU?

Yes. While it was formulated and approved by the European Union, GDPR applies to organisations worldwide. Any company that gathers or targets data concerning individuals in the EU is bound by GDPR. If our non-EU Group companies are collaborating with European OEM partners or having access to EU residents’ data, the GDPR will also apply. External partners outside the EU can also be regulated by additional GDPR compliance requirements.

Are there any trends in the expansion of Data Protection Laws, and what is the role of GDPR in this?

The GDPR’s influence has extended beyond the EU, prompting other countries to revise and update their own data protection regulations. Several US states, Chile, Kenya, Ethiopia, and even China have introduced similar laws. This signals a global shift towards prioritising data protection as a universal standard.

What are the risks of being non-compliant with GDPR?

Everyone is bound by the GDPR legislation, whether they are a multi-national corporation or a one-person operation. There are significant fines for GDPR violations. While smaller businesses may face fines amounting to thousands of euros, larger corporations can be subject to much higher penalties. For instance, Meta (Facebook) was fined €1.2 billion in 2023 for not complying with GDPR. They failed to implement adequate supplemental measures to transfer data from the EU to the US, underscoring the EU’s strict enforcement approach.

In another recent case from February 2024, the Data Privacy Authority imposed a €79 million fine against ENEL Energia for telemarketing misconduct. The regulator found the company failed to assess the risks linked to its CRM interface correctly and didn’t put in place sufficient measures to safeguard access to credentials. These two cases alone demonstrate how seriously the EU takes GDPR compliance.

Are individuals more aware of their data privacy rights under GDPR?

Absolutely. There has been a marked public awareness shift regarding digital data protection in particular. Individuals are also far more aware of their rights to know exactly how their data is being collected, stored, and used. Since GDPR came in six years ago, more than half of EU citizens have become aware that they have a fundamental right to access personal data about them that companies may hold. At Inchcape, we are currently receiving more requests from data subjects. To ensure compliance with the proper handling of all requests, we have included Data Subject Access Request (DSAR) simulations in our regular data privacy compliance testing.

What else is Inchcape doing to conform with GDPR?

At Inchcape, we understand the importance of safeguarding personal data and are committed to upholding the highest standards of data privacy. Our Responsible Business Framework is designed to ensure that data protection remains a top priority as we continue to grow and evolve. Data & Digital is a key enabler of our Accelerate strategy, and as our business expands, the volume of personal data we handle naturally grows. Therefore, we must focus on and work towards enhancing our overall compliance with data privacy regulations.

In Europe, on top of the global data privacy controls implemented at Inchcape, we also have a robust data privacy compliance program that includes data privacy testing against 42 data privacy areas for each market. We’re also continuously working to raise staff awareness of data privacy at all levels through regular educational programs for all staff and a separate educational program for management.

This year, we introduced a dedicated data privacy educational program for data privacy champions and respective teams from each market across the region. Seven sessions cover the main areas of GDPR requirements and are designed to deepen the understanding of GDPR’s requirements at a fundamental level. The program also helps teams effectively embed these principles into their everyday operations.

What is the end goal for data privacy compliance within the Inchcape framework?

Ultimately, our goal is to create a resilient data privacy framework that meets regulatory requirements and exceeds our stakeholders’ expectations. We want them to be reassured that their data, no matter what it concerns, is handled with the utmost care and respect by everyone within the organisation and our external partners.    

 A big thank you to Elena for taking us through what is both a complex and important subject with such clarity. We’ll be posting more interviews with Inchcape experts soon on a wide range of fascinating subjects, so keep checking for our latest blog posts.

You may also like