Everything about Ukraine’s Tech sector in one place

GDPR Compliance for Ukrainian Startups

Vlad Nekrutenko
1 post

Many Ukrainian Startups target the European market or want to scale onto the EU. Whenever such companies collect and process personal data, their data practices must be in line with the European data protection laws, widely known as the GDPR. 

This article will help Ukrainian startups understand:

  • What the GDPR is and why it is relevant for Ukrainian startups; 
  • Which Ukrainian startups fall under the GDPR requirements; and
  • What tasks need to be completed to become GDPR compliant.

What is the GDPR and why it is relevant for Ukrainian startups

The General Data Protection Regulation or GDPR, is an act that regulates the collection and processing of personal data in the European Union. It applies to any situation where the information about an individual is involved, whether about the service user or employee. The examples of such cases can be found throughout all processes of your company:

  • Website user registration – at the very least, a name/nickname and email address are collected;
  • Filling out the order form on an eCommerce website;
  • Cookies tracking, where the system assigns a user ID and compounds data over it;
  • Employee onboarding, during which the employer collects information about the professional background, education, and other data of the employees;
  • Further storage and analysis of customer data by the contractors, and so on.

Since the start of its application in 2018, the GDPR became increasingly popular across the world. During 2018, the GDPR was mentioned in the media 300 thousand times, which is three times higher than the number of Zuckerberg mentions. There are several reasons for that.

First of all, the GDPR is applicable even for companies outside of the EU, making the topic interesting for foreign and international companies, including those from Ukraine.

Second, it affects the overall standard of personal data processing for contractors. The European corporate clients willing to involve third-party services must make sure that the data about their users will be protected in line with the GDPR.

Third, the GDPR has stringent sanctions, which vary from regulatory fines to prohibitions to provide processing services unless the compliance is met. A fine can reach up to EUR 20 million or 4% of the annual turnover, but usually, it is proportionate to the size and activities of the company. A vast number of regulatory sanctions followed the GDPR’s entry into force, reaching more than EUR 450 million in total to date. The competent authority can catch the violating companies following a complaint from an unsatisfied user, data breach notification, or random / industry-based checks planned by the government body.

As a result, the GDPR compliance became a well-known standard of data protection for the companies in Europe, but also an additional trust point for those who are interested in providing the services/products from other countries to the EU market.

Which Ukrainian Startups need GDPR compliance

The first step towards the GDPR compliance is to understand if your company needs to comply with the EU data protection rules. The GDPR applies to three types of Ukrainian startups:

  1. Companies that have offices in one of the EU countries. As directly stated in the GDPR, mere registration of the business in the EU does not play a decisive role. The company must have an actual presence in one of the EU countries, factors of which are: having an office, management, employees or representatives in the EU, a postal address, bank account, local license (e.g., financial). If two or more factors apply, the chances that the company must comply with the GDPR are high, even with the main office located in Ukraine;
  2. Companies that are located in Ukraine but offer their services or products to the EU clients. The online targeting of the EU is determined by the use of geotargeting Ads or mentioning the reviews from the EU customers, the EU domains (.eu/.de/.it/.fr ), accepting one of the European currencies, and the language of the interface. At the same time, if European customers accidentally landed on the site and provided their data without actually being targeted, the European laws do not apply;
  3. Companies that offer processing customer data on behalf of their clients or, legally put, data processors. Those could be SaaS solutions, such as CRMs or marketing tools, software development agencies and tech support, cloud storage providers – almost any B2B business that acts as a contractor or third-party tool for operations over the personal data collected by its clients.

Does your business match one of the described scenarios? If so, consider working on the GDPR compliance for your company. If not, you will need to comply with the data protection laws of another country, based on the registration and actual location of your startup, as well as on the country where your customers are located.

What to Begin with

 The second confusing thing after the GDPR applicability is what to do to be GDPR compliant. Data protection compliance is a step-by-step process, and the process requires the initiative from the management of the company, which converts to the privacy culture throughout the company.

The GDPR compliance begins with a clear map of data and the company’s operations over it. Understand what, how, and why the company collects from the individuals – then you will be able to take relevant and necessary protective measures, as well as to draft a proper Privacy Policy or Data Processing Agreement, where necessary.

Below is our checklist of works to be done for pursuing the GDPR compliance:

  1. Initial Privacy Assessment. The initial assessment is a discovery of your company’s personal data operations leading to the creation of the Records of processing activities (Art. 30 of the GDPR). Involve the departments engaged in data processing to achieve a full picture: technical support and software development, data analysis, HR, recruiting, marketing, accounting, etc.
  2. Data Processing Agreements. As many of the Ukrainian startup team members work as individual contractors or entrepreneurs, you will need to sign appropriate data protection agreements with them, in particular those required by Art. 28 of the GDPR. Similar agreements are required wherever the company acts as a processing contractor (data processor) for its clients or in other situations where contractors / third-party providers are involved.  Another essential point is international transfers: if your partners, contractors or suppliers are located in the country outside of the EU, this will require additional contractual safeguards, such as Standard Contractual Clauses endorsed by the European Commission;
  3. Interface Compliance: Privacy Policy and consents. How you interact with your users creates the first impression, including about your data protection practices. Make sure that, where necessary, the user consent is collected and stored in the database, and your website/application has privacy statements, required by Art. 12-14 of the GDPR and usually done in the forms of Privacy Policy and Cookie Policy. B2B startups also publish a model Data Processing Agreement along with their policies;
  4. Internal Policies, information security, and data protection training. The human factor causes most of the data breaches, either a mistake, negligence or willful action. To address this issue, you will need to train the team so that they know their data protection responsibilities and prepare clear Data Protection Policies. From a technical perspective, cover each data operation by protective measures. The examples of applicable measures are the control after the access sessions to data, including by two-factor authentications, where applicable, encryption and masking of the data, using antivirus and firewall. Information security must be addressed by engaging your technical team.
  5. Data Protection Officer. Consider whether you need a Data Protection Officer, a professional that oversees data protection compliance within the company. Prescribed by Art. 37 of the GDPR, a DPO is required for the companies that: (1) systematically process large amounts of data about its users; and/or (2) process sensitive data, such as health biometric or genetic data, as well as the information about person’s ethnicity, gender, race or religious/political beliefs. The role of a DPO can be performed both by an internal employee or an external contractor.

The GDPR compliance is about the mindset of you and your company, where the privacy of the user is treated as a “by design” feature. We hope that this article has shed some light on how for Ukrainian startups to comply with the GDPR requirements and legally open the EU’s digital market for their activities.

Vlad Nekrutenko, CIPP/E Privacy Lawyer of Legal Nodes 

Legal Nodes is a global legal marketplace for tech companies.

Post details
chat2 Comments
Related
Menu