Ukraine's Path to GDPR Compliance

As Ukraine continues its preparation for European Union accession, the question of GDPR (General Data Protection Regulation) compliance arises. While not currently mandatory for Ukraine, aligning with GDPR standards presents an opportunity for enhanced data protection and smoother integration into the European digital landscape.

Implementing GDPR principles not only ensures legal compliance but also fosters greater trust with international partners and strengthens cybersecurity measures, making it an essential step for businesses operating in Ukraine.

Our privacy expert, Igor Gryshchenko, has valuable insights on Ukraine's GDPR compliance journey and the latest updates for businesses.

Implementing GDPR regulations in Ukraine without concerns is indeed feasible and holds significant benefits for businesses and citizens alike. Here's how:

Enhanced Data Security: GDPR compliance establishes robust data protection measures, safeguarding personal information against unauthorized access and data breaches. By adopting GDPR principles, Ukrainian businesses can bolster trust and credibility among customers and partners, fostering a secure digital ecosystem.

Global Competitiveness: Aligning with GDPR standards positions Ukrainian companies as trustworthy partners on the global stage. Compliance demonstrates a commitment to international data protection standards, enhancing competitiveness and opening doors to new markets and collaborations.

Streamlined Data Management: GDPR compliance necessitates transparent data management practices, including clear consent mechanisms and data processing guidelines. Implementing these practices promotes efficient data governance and empowers individuals with greater control over their personal data.

Legal Certainty and Stability: Adhering to GDPR regulations provides legal certainty for businesses operating in Ukraine. By aligning with established EU data protection laws, companies can mitigate legal risks and navigate international data transfers seamlessly.

Building Trust and Reputation: GDPR compliance is not just about regulatory adherence, it's about building trust and safeguarding privacy rights. By prioritizing data protection, Ukrainian organizations can cultivate a positive reputation and strengthen relationships with stakeholders.

Data Protection Legislation

Since the current Data Protection Law is far from perfect, a new legislative initiative was launched. The goal was to create GDPR principles and mechanisms to resemble European legislative privacy fundamentals and bring it in line with international standards. Here is a short guide on the main changes with the new Draft Law. Some groundbreaking changes were introduced in principles of processing: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and con-fidentiality; accountability. The conditions under which sensitive data may be processed were widened: data subject provides explicit consent; fulfilling labor relations; vital interests of the data subject; defending a legal claim; the purposes of public interest in the field of public health; purposes of archiving in the public inter-est, the scientific purpose, or historical research; prevention, investigation, detection of offenses. Another amendment was regarding the implementation of video surveillance. The Draft Law intro-duces provisions for legal installment of video surveillance systems for the purposes of preventing, detecting, or recording offenses and ensuring public safety and order. In addition, the Draft obliges the Controller to inform that the surveillance is being carried out in a place accessible to everyone in the official language.

The new Draft Law extends the cases in which a Data Protection Officer (DPO) should be appointed:

• In case of regular and systematic and large-scale monitoring of the actions of the data subjects;
• When the large-scale processing of personal data;
• If sensitive or biometric personal data is processed.

Data breach notification requirements were adopted to GDPR standards and include an obligation of the controller to notify the supervisory authority within 72 hours. The notification shall include: a description of the nature of the data breach; contact details of the person responsible for data protection; a description of the probable consequences; a description of the measures taken.

The new Draft Law introduces new rules on international transfers, which also closely align with GDPR. Data controller may carry out the transfer of personal data to foreign states or international organizations only if they are able to provide an adequate level of protection, the controller provides adequate guarantees of personal data protection, Binding Corporate Rules are approved.

Responsibility for violations was significantly extended. New fines were implemented and differ de-pending on the type of violation, severity, and how often it occurs. For individuals: UAH 10,000 to UAH 300,000 (but no more than UAH 20 million). The maximum amount of fine is UAH 20 million. For companies: 0.05% (not less than UAH 30,000) - 5% (not less than 300,000) of their total annual turnover. The maximum amount of fine is UAH 150 million or 8% of the total annual turnover.

While implementing GDPR regulations in Ukraine may require initial adjustments and investments in infrastructure and training, the long-term benefits far outweigh the challenges. Embracing GDPR principles lays the foundation for a resilient and secure digital future, positioning Ukraine as a trusted player in the global data economy.