Expert Opinion (#09 September 2017)

Six Reasons Why Businesses in Ukraine should Care about the GDPR

Oleksiy Stolyarenko

On 25 May 2018 the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will replace the current Data Protection Directive 95/46/EC and will be directly applicable in all EU Member States without the need to implement national laws. The aim of the GDPR is to unify the current patchwork of privacy data regulations that exists in Member States, protect privacy as a fundamental right, and ensure the free flow of personal data between Member States. Adoption of the GDPR has been a result of more than a decade of negotiations, as well as reassessment of privacy as a human right and of personal data as being a value for the economy.

There is no doubt that different types of data have become fuel for the modern digital economy, and personal data is one of the most important of all. The availability of data is a strategic enabler for the development of artificial intelligence, machine learning, big data algorithms and numerous other new technologies. Without proper balancing restrictions, there is a risk that with the help of more and more intrusive technologies, and in the race to acquire this new “gold,” businesses may substantially limit privacy as we know it now and use personal data against data subjects for their own advantage. The GDPR addresses these risks and establishes guidelines on how data subjects can maintain control over their data in a digital environment and, at the same time, enjoy all the necessary digital services. Businesses in Ukraine are, in general, quite skeptical about privacy or personal data protection as this area was neglected for many years through inadequate regulation and enforcement. However, below are a few good reasons why businesses in Ukraine should care about the GDPR or even comply with it.

 

1. Ukraine will adopt the GDPR — the only question is when

Ukraine is committed to becoming a member of the European Union. It has signed the EU–Ukraine Association Agreement, which will come into full force in September 2017. In terms of the agreement, the parties have agreed to cooperate on the introduction of the highest European and international data protection standards, including ones included in the Conventions of the Council of Europe. When the agreement was signed back in 2014 the wording “the highest European data protection standards” was probably somewhat vague. But now it is clear, because these standards and best practices have been codified in the form of the GDPR. As a prospective member of the European Union, Ukraine has an obligation to approximate its legislation to the legislation of the European Union. Ukraine has already adopted a number of EU Directives and Regulations, so it would only be logical to include the GDPR in the next batch. Taking into account the current dynamics of EU integration processes in Ukraine, the adoption of the GDPR in Ukraine will likely take place during the next two to four years.

 

2. Early compliance with the GDPR might be more cost effective

The GDPR introduces two concepts, Privacy by Design and Privacy by Default, which change the way modern business should treat personal data and build business processes. Under these concepts controllers have to ensure that the privacy of individuals is considered from the outset of each new processing, product, service or application, and that, by default, only minimum amounts of personal data as necessary for specific purposes are collected and processed.

For the past year and a half, many European companies have allocated significant resources, costs and applied efforts to bring their personal data processing activities into line with the GDPR. In general, it is estimated that the process of rearranging processes in line with the GDPR would require around three to six months from a medium-size organization. Therefore, wiring the concepts indicated by the GDPR early, during development of new businesses or business processes, may help businesses in Ukraine to achieve both cost savings and compliance with the GDPR.

 

3. Some businesses in Ukraine will need to comply with the GDPR as early as May 2018

The GDPR has expanded the territorial scope of its applicability to companies located outside the EU.The GDPR applies to the processing of personal data by controllers and processors outside the EU, where their processing activities relate to the offering of goods or services (even for free) to data subjects within the EU, or to the monitoring of their behavior.

Sometimes Ukrainian businesses do not offer goods or services or monitor the activities of data subjects within the EU directly, but rather process personal data at the request of their EU partners (i.e., act as processors). The GDPR imposes compliance obligations directly on processors, such as implementing security measures, notifying the data controller of data breaches, appointing a DPO (if applicable) and maintaining records on processing activities.

To improve the enforcement and accountability of a controller or processor not established in the Union (excluding businesses in Ukraine) that processes personal data of data subjects who are in the EU or offers goods or services to EU data subjects, the GDPR establishes a requirement to designate a representative in the EU to act on its behalf with regard to its obligations under the GDPR.

Therefore, all businesses in Ukraine, whether controllers or processors involved in the aforementioned activities, should comply with the GDPR. However, some export-oriented businesses, particularly software development and the IT outsourcing sector, along with numerous back offices and representative offices of European companies operating from/in Ukraine, should be more worried than others.

 

4. For customer-centric companies, the GDPR is an opportunity to excel in customer service and receive new clients

The GDPR introduces a number of new rights for data subjects with respect to their personal data, including the right to data portability (the right to obtain a copy of one’s personal data from the controller and have it transferred to another controller), the right to erasure (or the “right to be forgotten”), the right to restriction of processing, and the right to object to certain processing activities (profiling) and to automated processing decisions.

There is no doubt that the introduction of these rights requires companies to make certain changes to their infrastructure, consumer services and approach to personal data. However, it is reasonable to assume that if companies comply with the GDPR consumer experience would soon become the new normal, and even the expected level of service would increase (not only in the EU but also in other countries such as Ukraine). Businesses in Ukraine which excel in implementing these rights would likely see a degree of benefit in terms of new customers, better customer engagement, and higher customer approval rates.

 

5. The GDPR’s provisions incorporate certain best practices that are either already mandatory in Ukraine or “a good to have” practice to manage personal data risks

The GDPR introduces a requirement for businesses to appoint a Data Protection Officer (DPO) where (i) the core activities of the controller or processor consist of processing, which requires regular and systematic monitoring of data subjects on a large scale, or (ii) the core activities consist of processing of special categories of data on a large scale. The Personal Data Protection Law of Ukraine already requires the appointment of a DPO in cases where sensitive data is processed.

Another new requirement of the GDPR for controllers and processors is to prepare and maintain Data Mapping, which would include records of processing activities and maps showing how personal data flows within various territorial and structural divisions of the organization.

The performance of Data Protection Impact Assessments (DPIAs, namely risk analysis) is necessary according to the GDPR, where the processing of personal data (particularly when using new technologies), is likely to result in high risk to the rights and freedoms of individuals.

 

6. Increased fines, along with a data subject-friendly one-stop-shop approach, support compliance with the GDPR

The GDPR harmonizes the tasks and powers of supervisory authorities and significantly increases fines. For major infringements (such as failure to comply with cross-border transfer rules or to obtain the relevant permits), fines can be up to EUR 20 million or, in the case of an undertaking, up to 4% of the total worldwide annual turnover in the preceding financial year.

The supervisory authority in the jurisdiction of the main or single establishment of the controller/ processor will be the lead authority for cross-border processing (subject to derogations). This allows the data subject to file a complaint to one supervisory authority only, and such authority will lead the investigation in as many countries as is necessary, coordinating its activities with other authorities.

 

Subscribe
The Ukrainian Journal of Business Law

Subscribe to The Ukrainian Journal of Business Law right now and enjoy the most relevant issues on doing business in Ukraine on your device or in print.

All this for just USD 9.99 a month.

 

Subscribe now