GDPR — how it affects Ukrainian companies

One beautiful morning I got this unusual request from a client. He was really anxious and confused. He said, “Dear Lidia, we got this Data Processing Agreement on 26 pages from our client who said we should revise it and sign it according to the GDPR. We haven’t dealt with anything like that before. Can you help us with this GDPR thing?”

Let’s be honest, we do know stuff and we can talk about it, but there are some areas where we lack expert knowledge. However, when our clients ask us to, we study these new and unexplored topics. And that’s what I actually did.

What is GDPR and what is all the fuss about?

I am familiar with EU data protection regulations. However, I had little knowledge about this mysterious GDPR thing, even though The Economist mentioned it in its special issue The World in 2018. Truth be told, I used to confuse the letters in this abbreviation.

After we had finally gotten through alphabet soup, my colleagues and I started to delve into the new mechanisms of data protection contained on 88 pages of the full text of the GDPR plus a hundred other guidelines, instructions, best practices, etc.

Captain Obvious

The European Parliament adopted the General Data Protection Regulation (the GDPR) on 26 April 2016. This regulation is mandatory and all EU member states have an obligation to implement and apply it.

Before that, there was the EU directive that provided the framework for personal data protection in the European Union. Or rather, this directive was a set of guidelines EU member states implemented in their local laws and regulations using methods and acts they deemed appropriate.

Traditionally, personal data means any information that allows to identify a person. You cannot identify anyone using his or her first name only; but when you have a last name, a date of birth, and a place of residence, it is very likely that you will easily find this person.

What does Ukraine have to do with it?

Ukraine is not a member state and it may seem that EU regulations and directives are not applicable here. However, GDPR is very different. When it comes to GDPR, anyone outside the EU should be aware of its extra-territorial applicability since it applies to companies anywhere in the world which come into contact with EU citizens’ data.

Ukrainian companies often deal with European Union citizens’ personal data. For instance, when developing a SaaS platform for a restaurant or a vet clinic, software developers get access to personal data of people who sign up (waiters, doctors, or pet owners). According to the GDPR, getting access to any personal data, even if this data is not stored on any device, means personal data processing.

Breaking down ‘Controller’ and ‘Processor’

The GDPR defines data processors and controllers. The purpose of data processing helps understand these terms. If a company defines the purposes and means of data processing, this company is a controller, which means that this company has more obligations.

Let us say, some free car-sharing platform developed by some Ukrainian company becomes popular both in Ukraine and in the EU and EU citizens can sign up with it.

In this case, the GDPR applies to this car-sharing platform. Besides, this Ukrainian software developer is a data controller. To store and process data and ensure that the platform works smoothly, this company uses services and servers provided by Amazon Web Services. The latter does not initiate data collecting and does not set the purpose of its processing, but it has data access. Therefore, Amazon is a data processor in this case. According to the GDPR, data processors also have obligations and must comply with certain restrictions.

What if the GDPR applies to a Ukrainian ‘controller’ company?

Actually, it’s not so bad. For starters, a company should do a general check and find out what personal data is being collected, what personal data the company has access to or stores on its devices, where it can be transferred (who can access it) and what exactly this company does with personal data and what data protection practices it uses.

The GDPR requirements are listed out on 88 pages, so there’s a lot of stuff you should be aware of.

For instance, you may not collect more information than the purpose of collecting and processing allows to. For example, you are developing keyboard themes for Android. Apparently you don’t need to ask users to give you access to all personal data stored on their smartphones when they install your application. You don’t want to make the same mistake as Type.AI made in December 2017 leaking the personal data of over 31 million users and allowing anyone to access almost 600 gigabytes of user records, including information linked to Google accounts. Good for them it happened before 25 May 2018.

After a general check, you have to make sure that your privacy policy complies with GDPR. It should contain a list of data collected, the purpose of data processing, clients’ rights in regard to their data, and how you deal with complaints.

Mind that the GDPR requires that a privacy policy be written in simple language. To ensure data protection, you have to show that a user has actually read your data processing rules. So, clicking the ‘I agree’ checkbox without actually reading the rules won’t do. By the way, neither the GDPR nor the applicable EU law require that companies make their endless Privacy Policies available on their websites. The GDPR requires that you have a clear and simple Privacy Notice. So it’s better and more convenient when a client sees a popup box with a short notice and the ‘I agree’ box.

Getting consent for data processing using a privacy policy or a privacy notice is a controller’s key task. If a controller doesn’t have either of those, things may go wrong.

However, even if you have a well-written privacy policy, is not enough. The GDPR contains data protection by design and by default provisions. This means that controllers and processors are required to put in place technical and organizational measures for personal data protection before they actually get any such data. That is, companies have to put these measures in place and be ready to process any data in compliance with the GDPR requirements. Technical measures mean encryption, use of methods of data encryption and data anonymizing, physical and online access control (to avoid the sort of thing that happened with Deloitte UK in September 2017 when the company got hit by a cyber attack and because it did not have two-factor authentication its clients’ data was compromised).

Organizational measures include dealing with employees and contractors with data access. This means you should execute an NDA with every employee, you should have your data processing policy developed, and you should train your employees. Here is this case of Heathrow Airport that apparently failed to properly train its employees. In October 2017, a man found a memory stick on the street that contained maps, videos, and other information about the route the Queen takes to the airport, security measures used to protect her, and other sensitive information, including the IDs the undercover officers need to access the restricted areas, a timetable of security patrols, and maps locating security cameras and tunnels linked to the airport. The pedestrian was really surprised with what he saw when he opened this memory stick using a public library computer. According to Heathrow representatives and experts, this probably happened through negligence of airport employees. Besides, in 2015, there was another serious data leakage case when a London-based clinic leaked the details of 780 HIV-positive patients by sending a newsletter revealing the patients’ names and email-addresses.

What if a Ukrainian company is a data processor acting on behalf of an EU controller

This is very common for IT outsourcing. For example, a Ukrainian company gets an assignment from an EU customer to do some project and gets access to personal data. In this case, the EU company is a data controller and the Ukrainian company is a data processor.

EU law and the GDPR prohibit to transfer data outside the European Economic Area unless the recipient’s jurisdiction is considered to provide the adequate (required) level of personal data protection. The European Commission is responsible for listing out such jurisdictions. For now, the European commission okayed the level of personal data protection in Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, New Zealand, and Uruguay.

Focused readers plus those who own a company incorporated in the US would notice that the US is not on the list, just like Ukraine. Here, your membership in the Privacy Shield may come in handy (or you can use a standard agreement mechanism, exactly as if a company has been incorporated in Ukraine).

So what to do with this transfer thing if a processor is based in Ukraine. It’s very likely that a customer from the EU is going to tell a Ukrainian processor what to do since it’s this EU customer whose job is to ensure that personal data is properly processed. The most convenient way to ensure this is a standard data processing agreement (DPA) listing out the requirements for technical and organizational measures that a processor from Ukraine must take. There are other ways to ensure data transfer protection. For instance, a controller may require a processor to complete certification or work out certain corporate rules that have to be approved by EU regulatory agencies. However, there is no GDPR-based certification just yet, and other options are way too complicated.

Now let’s move to hiring contractors or, as the GDPR puts it, sub-processors. According to Article 28, before hiring a sub-processor, a processor is required to get a written authorization from its controller. Therefore, any Ukrainian IT company that provides software development and tech support services and has access to personal data may engage independent contractors to entrust them any tasks related to delivering services, provided that the customer from the EU has authorized it to do so. In addition, it is required that processors execute a DPA with every sub-processor reflecting the provisions of the DPA executed with the EU-based customer.

Data protection officers

There is a lot of stuff online and when you’re reading it you may get the impression that GDPR requires companies to appoint data protection officers. However, according to GDPR, companies have the obligation to appoint such officers only when data is processed by (a) a public authority; (b) a company that on a regular and systematic basis does the monitoring of individuals using huge volumes of personal data; c) a company processing ‘sensitive’ data, including medical and criminal records.

If you feel relieved because you’re not on the list, you should be aware that according to Article 3 (2) of the GDPR, data controllers based outside the EU offering their services to the EU-based individuals and processing their data, are required to appoint EU-based representatives. That is, a controller is required to execute a written agreement with an EU-based company that is going to be a main contact in case the EU regulatory agencies need to contact a data controller regarding GDPR compliance matters.

When data is NOT transferred to Ukraine

If your company is registered outside Ukraine, for instance, in the USA, you’re still required to execute standard data transfer agreements with your customers, because the USA, just like most other jurisdictions where people usually incorporate their IT businesses, is not on the list we’ve already talked about. But what about a Privacy Shield?

Actually, a Privacy Shield is a kind of an umbrella agreement and therefore, transferring data to companies included in the Privacy Shield list (you have to pay registration and membership fees) used to work the same as legitimate data transferring from the EU. The companies included in the Privacy Shield list are required to execute agreements with their contractors that take into account the Privacy Shield requirements. But the Privacy Shield existed before the GDPR. Therefore, chances are, requirements regarding American companies on the Privacy Shield list are going to become tougher. However, for European companies, this membership is a matter of reputation, even provided that there are registration expenses and reporting to the US Department of Commerce.

This recent case with Nova Poshta (a courier company based in Ukraine) leaking its customers’ personal data is another proof that the GDPR is going to become more topical. Good for us, the EU-oriented Ukrainian IT companies dealing with customer personal data are definitely going to need a lawyer. And they better hurry up. It’s important to do a GDPR compliance check right away. Fines for companies failing to comply with the GDPR requirements are way higher than any average fines in Ukraine. We are not going to whip up tensions right now since so far, even people in the EU don’t know for sure how fines will work. For now, this whole GDPR thing is a good opportunity to expand your expertise and show off to all your friends and family how you are perfectly able to ensure compliance.