Privacy Law and the impact of GDPR in Ukraine
by Svitla Team
What is GDPR?
The General Data Protection Regulation, or GDPR, is a legal framework that came into effect across the European Union on May 2018. It sets guidelines about the collection and processing of personal information, data protection, and privacy for all individuals within the EU and the European Economic Area (EEA). It covers all companies that deal with the data of EU citizens, making it imperative for companies to achieve corporate compliance under the GDPR framework.
The European Commission (EC) declares that personal data is “any information that relates to an identified or identifiable living individual.” With that being said, there are obvious categories of personal data such as name, home address, and email address...but there are also other categories now considered personal data such as a phone’s geolocation, the IP address, cookie IDs, and other mobile identifiers.
With this inclusive definition of personal data, virtually every business organization should update their digital properties given the borderless nature of the online world and perform a thorough audit on all clients and any involved party about their practices regarding online and offline data collection and processing.
The GDPR operates in two fundamental principles:
- Companies need to require an express, informed consent from users to collect their data and,
- Users should only share data that is required by a company to make the services or products they offer function.
Before the enactment of the GDPR, personal data processed in the EU was governed by the 1995 European Directive (95/46/EC) in regards to the protection of individual personal data and the free movement of such data. The principles of 95/46/EC were implemented across 28 EU member states.
After approximately 4 years of negotiations, the GDPR was approved by the European Parliament and Council and published in the Official Journal of the EU as Regulation 2016/679 on April 2016. A 2-year transition period was granted to allow organizations and governments to adjust to the new requirements and procedures. As previously mentioned, the GDPR is now the law throughout the EU since the 2-year transition period ended on May 2018.
The goal of the GDPR is to harmonize the current legal framework, which is fragmented across member states of the EU. The regulation is directly applicable with a consistent effect in all member states. Other goals of the GDPR include the increase in legal certainty, the reduction of administrative burdens and cost of compliance for organizations that are active in multiple EU member states, and the enhancement of consumer confidence in the digital marketplace.
However ambitious the GDPR framework is, it allows member states to legislate differently in their domestic data protection laws, which sparks mixed interpretations and enforcement policies among the member states.
With the GDPR compliance deadline back in May 2018, many companies faced the challenge of updating their privacy policies and data collection practices. Significantly, the GDPR has a wide-reaching geographical scope and definition of what is considered personal data, which affects both EU companies and beyond.
The GDPR has two key players: controllers and processors. Controllers are companies that define the purpose and means of data processing, and they face tighter regulation. Processors are companies that render services to controller companies, without the ability to collect data or determine the purpose of processing - in essence, processors are only capable of accessing the data.
With the current data protection framework provided by the GDPR, there are specific modifications that supersede previous directives. These key modifications include:
- Territory: The GDPR applies to personal data processing in the context of an organization’s activities. For the purposes of the GDPR, an organization implies an effective and real exercise of activity through stable arrangements, which leaves a broad spectrum of what might be included. Recently, the Court of Justice of the European Union dictated that a Slovakian property website with an establishment in Hungary was also subject to Hungarian data protection laws. Additionally, even if an organization proves that it is not established in the EU, it will most likely still be under GDPR regulations if it deals with the personal data of subjects within the EU. The GDPR was designed to regulate overseas organizations as well, and US tech companies should take this into careful consideration as the stipulations of the GDPR clearly endeavor to apply to them.
- Herculean sanctions: The GDPR couples anti-bribery and anti-trust laws with some of the toughest sanctions if non-compliance should occur. It imposes fines based on the overall revenue of an undertaking rather than the sole revenues of the relevant processor. This is bad news for multinational businesses as grouped revenues will be considered when calculating fines, even if specific group companies are completely unrelated to data processing. With the GDPR, there are now two categories of fines:
- High fines of up to $20,000,000 Euros or up to 4% of total worldwide turnover.
- Low fines of up to $10,000,000 Euros or up to 2% of total worldwide turnover.
- Data: The scope of personal data is wider in the GDPR, including information such as identification numbers, online identifiers, and location data. Also, sensitive personal data or healthcare data are now referred to as “special categories of personal data.” The GDPR includes a new provision of accountability which requires the data controller to prove compliance with regard to the processing of personal data, which is why controllers must maintain records of processing activities. Additionally, the GDPR imposes a duty to notify supervisory authorities of personal data breaches, giving a 72 hour period to notify individuals about the breach if the breach is of high risk to the individual’s rights and freedom.
- Processors: For the first time ever, the GDPR directly regulates data processors. Data processors, in essence, are companies which are engaged by a controller to process personal data on their behalf. Now, processors are required to comply with numerous regulations while they maintain adequate documentation, implement stringent security standards, perform routine impact assessments, appoint a data protection officer, comply with international rules on data transfer, and cooperate with national supervisory authorities. If processors fail to meet these criteria, they are subject to sanctions and private claims for compensation.
How does the GDPR affect companies with development offices in Ukraine?
Ukraine has become a well-known hot spot for delivering high-quality IT products and services, as well as highly talented professionals in the IT industry. With its strong education system, tech graduates, and steady pay rates, Ukraine is an attractive destination for worldwide companies in the technology industry.
The legal environment in Ukraine differs considerably from the one in the EU and is often considered an outlier. Nonetheless, US multinational companies with activity or development offices in Ukraine face the imminent trial of complying with GDPR regulatory laws.
At the heart of the GDPR, the most powerful impact on companies which are not member states is its extra-territorial nature, applying to companies anywhere in the world that come into contact with EU residents’ data, which of course, applies to Ukraine.
Ukraine legislates data protection via the Law of Ukraine “On Personal Data Protection,” dated June 2010. Nonetheless, Ukraine is required to align its legislation with the EU’s highest standards. Ukraine is a prospective member of the EU, but it currently has numerous companies that deal with personal data of EU citizens. Per GDPR decree, personal data processing refers to gaining access to any sort of personal data, whether or not it’s stored in a device.
The GDPR directly affects Ukrainian companies that offer services and goods to EU citizens (e.g., IT companies, design studios, healthcare companies, travel agencies, and more) and companies that process the personal data of EU citizens (e.g., advertising firms, marketing firms, research companies, and more).
With the GDPR in full effect, Ukrainian companies are faced with the challenge of complying with the new regulatory measures to ensure personal data is accounted for and handled within the boundaries set out by the new legal framework.
To put this into perspective, according to Forbes, one of the most powerful rights for citizens with the enforcement of the GDPR is the right to be forgotten. Upon request, EU-based companies and companies with development offices in Europe, such as Ukraine, must now delete personal data as the user deems it necessary.
Why the GDPR matters?
To Ukraine, the GDPR matters in numerous ways in its attempt to align itself and become a member of the European Union. Some years ago, Ukraine agreed to comply with the highest European data protection standards, which nowadays translate to the GDPR. This means, all software development and the IT sector in Ukraine, whether controllers or processors, must improve enforcement and compliance with the GDPR guidelines.
Companies with development offices in Ukraine must ensure the privacy of individuals for each new processing, product, service, or application, collecting minimal amounts of necessary personal data. In the wake of the GDPR implementation, many companies have invested both capital and time to bring personal data processing activities in line with the GDPR, estimated to require up to 3 to 6 months for a medium-sized company.
Nowadays, users have a more acute interest in how their personal data is collected and used, in part due to recent data scandals such as the one from Facebook. In a sense, the GDPR comes at a great point in time to address these user concerns. With new additions to the rights of data subjects in terms of personal data, data portability, erasure, restriction, and profiling, Ukrainian companies must reevaluate their entire infrastructure and approach to personal data, which could be beneficial in terms of new customers, improved customer engagement, and higher customer approval rates.
The new era of online data protection: How to navigate Privacy Law considerations for companies with development offices in Ukraine
Despite having two years to prepare and comply with the GDPR, many companies were right on deadline changing privacy policies and features worldwide and sending an email and other notifications discussing these changes with their users and clients.
To navigate the GDPR, companies in Ukraine and with development offices in Ukraine must perform a comprehensive evaluation of what personal data is being collected, what personal data it has access to, what personal data it stores, where personal data can be transferred and what the company actually does with personal data. These key questions will shape the strategy around the GDPR requirements and its compliance.
Ukrainian companies must also ensure they have the infrastructure and technical capabilities to handle and process data in compliance with GDPR requirements. These technical capabilities include encryption, data anonymizing, physical and online access control, and more. Additionally, companies must deploy a Non-Disclosure Agreement to every employee and contractor that deals with sensitive or personal data.
As the new legal framework extends beyond the borders of Europe, some of the world’s largest companies prepared for the GDPR by implementing new privacy tools and resources that put people in more control over their data and its privacy.
With these tools, users can find, download, and delete specific data on the company’s site. Additionally, since the GDPR enforcement in May 2018, users across the globe have been flooded with emails that requested them to agree to the new terms of service and to persuade them to opt-in to marketing communications or recognition technologies.
Reactions to GDPR from the tech industry
Since the GDPR went into effect, companies with development offices in Ukraine have felt the effects in various ways and have taken different measures to address the new framework, including:
- Block EU-based visitors from the company’s website.
- Roll-out new consent forms to each EU user to select the 3rd party services they agree to share data with. Failure to consent may result in a service interruption.
- Deployment of updated privacy management tools.
- Block content display to EU-based users.
- Email confirmation to opt into marketing communications.
- Remove the product or service from EU app stores and delete all EU residents records.
- Pull-out of the EU (this is specifically relevant for small and start-up companies that don’t have the resources to comply with the entire scope of the GDPR).
From tech giants such as Microsoft who have made it a priority to comply with GDPR worldwide, to Facebook which moved a reported 1.5 billion users out of reach for EU privacy regulations, companies are taking different approaches to the GDPR. Multinational companies are forced to think about new ways to address data privacy across the globe, which can be powerful for users and their engagement.
Other tech companies have opted to pull out of Europe entirely in the fear of failing to comply with the rigorous new regulations.
According to The Economist, Google has communicated that all websites and apps that use its native ad-tech tools must obtain user consent. Google strives to offer ads that are less targeted at particular individuals, which provides a superior level of comfort to users as their data won’t be abused or mistreated by unknown parties.
It’s true that the industry remains cautious about the full effect of GDPR on companies. Opponents of the new regulations often say that it is a burdensome framework that may hinder the operational efficiency of many companies across Europe and the world. For example, data cannot be transferred to another country outside the EU, unless the same level of protection is guaranteed. Companies may opt to pull out or change their business practices, but it is still yet to be seen what the full spectrum of effects will be in terms of cost and time..
The future of European data and privacy protection laws
The effects of the GDPR are still so fresh that a new round of European privacy laws almost feels too much to handle. Some companies are still working hard and investing to achieve GDPR compliance while others are still in the GDPR awareness stage, trying to wrap their business strategies around the new regulatory measures of the legal framework.
Nonetheless, more change is on the horizon. By the end of 2018 and the early months of 2019, companies must now face the adoption of the EU’s ePrivacy Regulation. This new regulation is considered as an update to the existing ePrivacy legal framework, specifically the ePrivacy directive established in 2002 and revised in 2009, which requires prior consent regarding website cookies.
But, it would be a mistake to consider the ePrivacy Regulation as a framework that only deals with cookies. Instead, it concerns itself with electronic communications and the right of confidentiality, data privacy, data protection, and more.
Originally, the new ePrivacy Regulation was intended to be applied in May 2018, the same date as the GDPR, but this ambitious timeline proved near impossible since many areas of the publication were still under work.
While for many companies it is tedious work to comply with the new regulations, overall, the GDPR and the looming ePrivacy Regulation feel like a victory for advocates of strict privacy and data protection rules. Users also feel more comfortable with the way their data is treated and the control they are granted over its privacy.
The jury is still out on the full range of benefits and drawbacks these new regulations bring, but it’s important to be informed, prepared, and on the constant lookout for how it may impact your company and your customers.
Let's meet Svitla
We look forward to sharing our expertise, consulting you about your product idea, or helping you find the right solution for an existing project.
Your message is received. Svitla's sales manager of your region will contact you to discuss how we could be helpful.