What Do Ukrainian Companies Need to Do to Comply with GDPR Requirements?
The General Data Protection Regulation (GDPR/the Regulation) is a document that has radically changed the rules of the game in the field of personal data protection. Despite the fact that the GDPR is an internal act of the European Union (EU), in certain cases it has extraterritorial effect.
In light of the recent clarifications by the European Data Protection Board regarding the territorial scope of the Regulation, it is becoming clear that a significant portion of Ukrainian companies (both in the real sector and in the field of information technologies) are subject to the obligation of GDPR compliance. As a result, Ukrainian businesses are increasingly asking the question: “What needs to be done to comply with GDPR requirements?”
It should be noted from the outset that ensuring GDPR compliance is a complex process that requires the cooperation of a large number of people — first and foremost, the company’s management, lawyers, and technical specialists. To facilitate understanding, we propose to divide this process into several main stages.
Stage 1. Recording the Current State
At this stage it is necessary to conduct an analysis of all of the company’s business processes with the aim of identifying specific personal data processing procedures, the range of subjects involved in processing, and the manner in which the company interacts with such persons.
The result is the drafting of an Initial Data Mapping — a kind of “map” of the movement of personal data, which visually records the actual conditions of their processing. This document provides an understanding of the company’s general algorithms for working with personal data at the initial stage.
Stage 2. Assessment of the Current State
Having gained an understanding of the current algorithms for processing personal data, it is necessary to determine what needs to be changed in such algorithms to ensure compliance with the requirements of the Regulation. First of all, privacy due diligence must be conducted, including analysis of the privacy policy as to its compliance with GDPR requirements; the form in which the data subject is notified of the processing of their personal data; confidentiality provisions in concluded agreements; and other internal and public documents.
If the processing of personal data is likely to result in a high risk to the rights and freedoms of data subjects, a Ukrainian company is obliged to conduct a Data Protection Impact Assessment.
The result of this stage is the company’s identification of the gap (Gap Assessment) between its current state of activities and the state it must achieve after implementing all necessary measures in accordance with the requirements of the Regulation. The Gap Assessment is a “roadmap” on the path to achieving GDPR compliance.
Stage 3. Document Development
Document development is always the main stage, upon the correctness and effectiveness of which the company’s compliance with GDPR requirements depends. All documents can be broadly divided into policies, procedures, and other documents.
Policies define the main principles that the company follows in the process of processing personal data. Examples of policies include:
Privacy Policy — a document for notifying data subjects about the procedure for the company’s processing of their personal data; GDPR Controller/Processor Agreement Policy — a policy that defines the procedure for concluding agreements between the company and personal data processors and points to the key aspects of such agreements.
Procedures, in turn, elaborate on the official procedure for the company’s implementation of legally significant actions in the field of personal data processing. They reflect a step-by-step instruction that the company must follow in a given case. Examples of procedures include:
Privacy Notice Procedure — the procedure for notifying data subjects of the specifics of the processing of their personal data; Data Subject Request Procedure & Complaints Procedure — the company’s course of action in the event of a data subject submitting a complaint or a request to exercise rights supported by the Regulation.
Other documents are developed by the company to ensure compliance with the special requirements of the GDPR. For example:
Preparation Project Plan — defines what measures and when they are introduced by the company to achieve compliance; Roles and Responsibilities — establishes the responsibilities of the company’s management and main categories of employees in the field of personal data processing.
The above represents only a small portion of the documents required to ensure compliance with the requirements of the Regulation. The specific set of documents and their content must be determined for each company individually, taking into account the specifics of their business processes.
Unfortunately, GDPR imitation is fairly common among Ukrainian companies. It arises when a company develops exclusively the main public documents — namely the Privacy Policy and the Privacy Notice — and this exhausts its preparation. A Privacy Policy is necessary for compliance with the requirements of Articles 24 and 32 of the Regulation, while a Privacy Notice satisfies the requirements of Articles 13 and 14 of the Regulation. GDPR imitation leaves out the remainder of the Regulation’s mandatory requirements.
| The development of only a Privacy Policy and Privacy Notice is insufficient to ensure GDPR compliance, even if such documents in their content correspond to the provisions of the Regulation. |
Stage 4. Implementation of Changes
Ukrainian companies must not only develop the necessary documents, but also ensure their implementation and observance in business processes. Supervisory authorities, when considering the question of a company’s compliance with GDPR requirements, take into account the actual procedure for processing personal data, not theoretical legal models.
At this stage the company is also obliged to appoint its representative on the territory of the EU member state where the majority of data subjects whose personal data is processed are located. It is not necessary to establish a branch or conclude an employment agreement with an employee in the EU — it is sufficient to conclude a civil law agreement with a representative.
Stage 5. Monitoring the Results of GDPR Implementation
Ensuring the company’s compliance with GDPR requirements is not a one-time procedure. After developing documents and implementing the necessary organizational and technical measures, the company is obliged to:
- maintain the compliance of such documents and measures with ongoing legislative changes;
- record the actual processes and events that occur during the processing of personal data;
- conduct periodic audits of personal data processing processes;
- conduct training for employees who have access to personal data on matters of data protection and information security.
Thus, ensuring Ukrainian companies’ compliance with GDPR requirements has already transformed from a theoretical idea into a real condition for conducting successful business in the EU. The procedure for achieving GDPR compliance is fairly complex and requires significant resources and experience, and therefore Ukrainian companies oriented toward the European market need to review personal data protection issues today.
