GDPR Ready Company: Guidelines to Implement
Millions of fines for Ukrainian companies for violation of the data personal processing in accordance with foreign law: is it really possible?
As a rule, owners and managers of companies focus on strategic development and operational management of their business. The issue of changes in legislation, especially international, is subject to control of lawyers. And this is logical and understandable.
However, there are regulatory acts that require attention, even to business owners, not only with aim to be in the trend, but above all to avoid the consequences that business may have.
One of such regulations in 2018 was the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter – “Regulation”). Although the Regulation was adopted in Europe, its action extends to Ukrainian companies as well.
Despite attempts to raise the respect and proper attitude of Ukrainian business towards the processing of personal data by adopting appropriate legislative acts and procedures (a while back, even by obligatory submission of personal data of all those who process them to the state registry of personal database) we are used to think that Ukrainian legislation does not establish effective mechanisms of influence for business on this issue. Moreover, fines for violation of data processing procedures can be up to a maximum of several thousand hryvnias. Thus, by 2018, the issue of proper protection of personal data was treated as irrelevant for business. After coming into force of the Regulations, fines have been imposed, which, unlike Ukrainian legislation, comprised 2-4% of the global annual business turnover or 10,000,000 to 20,000,000 euros for violations of data processing procedures. In Europe, some practice has been emerged with respect to application of large fines.
Consequently, it becomes increasingly necessary for Ukrainian companies to pay attention to the provisions of the Regulation and to take the necessary measures as soon as possible. This is especially true for companies that offer goods / services to the EU and the EEA, track and monitor their potential clients / visitors to sites on the Internet with the aim of targeted advertising, make profiles of such clients (their preferences, interests, behavior), sell online, have representations in the territory of the EU.
Thus, the Regulation has a wide range for use. Such a business as medical care, passenger transportation, hotels, tourism, banks, processors of financial transactions, information technologies, foreigners’ employment, any other activity related to personal data of individuals living in Europe and the EEA are subject to the requirements of the Regulation.
At the meeting, we will pay attention to the main and decisive provisions of the Regulation, which must be taken into account by the owner of the business, so as not to be in a “rabbit hole” and not gain “glory” of the first at the Ukrainian market, which was negatively affected by European legislation. We will look at examples and provide answers. For example, whether the Ukrainian banks that handle personal data of foreigners – their customers – will be subject to the Regulation; or whether the Regulation be extended to transport companies providing international services; or whether a start-up based in Ukraine and provides a certain application of tourists visiting Ukraine or EU countries (for example, city-mapping application) is obliged to comply with the requirements of the Regulation.
Our legal and technical specialists will share their experiences, tell the latest clarifications of the European supervisory authority on personal data protection and advise on the organizational and technical measures that must be taken to counteract the negative consequences of your business. We will show you how to build a modern IT architecture that meets GDPR requirements. We will pay attention to the use of two-factor authentication as the implementation of the key requirement of GDPR.
Looking forward to the Open lecture on 9th of April, registration is via the link.