Data Protection Directive 95/46/EС was replaced by the General Data Protection Regulation (GDPR) in 2016. It will enter into force on 25 May 2018. It means that regardless of their location all companies processing personal data of EU citizens and residents will have to become GDPR compliant i.e. to follow new EU regulations on storage, processing, and transfer of personal data. It also concerns Ukrainian companies both conducting their activities on the EU territory as well as selling goods to EU citizens and residents.

Personal data becomes more and more vulnerable thus in order to protect it the new GDPR directive was adopted

The DPD directive became outdated. It failed to catch up with the modern level of cloud services development, tech opportunities for the data collection and transfer as well as increased risks of cyber-attacks. After 4 years of preparations and debates, the European Parliament adopted the GDPR directive. Last changes in EU legislation (cookies directive, ePrivacy Regulation), as well as legal precedents (Snowden case, Shrems case), encourage people to be more proactive in questions related to personal data protection. For a person, it’s important to understand where the information about him/her is stored, who has access to it, whether storages are reliable and what to do in case of the information leak.

The key aim of GDPR is to ensure the right of the person for data privacy and the right to be forgotten.

Responsibility for the data security is borne by collecting companies

The GDPR directive is aimed at encouraging every subject (company) processing personal data to ensure proper technical conditions for its storage and protection.


Key aspects regulated by the GDPR:

  • data processing and storage;

  • users’ consent for data collection and processing;

  • ensuring of citizens’ rights to access their data;

  • the right to be forgotten (physical removal of data from all servers);

  • the right for data transfer (to other servers or platforms);

  • data protection and related responsibilities;

In order to meet aforementioned requirements, a company has to develop a standard package of documents substantiating algorithms for data storage and processing, as well as ensure its application only for particular data processing purposes.


Furthermore, they also must have a set of techs for data protection and an Emergency Plan in place. These are concrete technical measures which should be applied upon the identification of the data breach. The notification about the data breach which should be delivered to regulatory authorities within 72 hours upon its occurrence is also the part of the obligatory package. It will serve as immunity from sanctions related to the data loss.


Every company should decide whether such conditions will be created with its own resources or it will outsource this work to external legal and IT services’ providers.

Even though GDPR is an EU regulation, Ukrainian companies should also comply

In Ukraine, GDPR-compliance should be a priority for online-shops operating on the EU territory and receiving payments in EUR. If a company isn’t GDPR compliant, it can legally work on the EU territory and with the EU citizens.

If the work foresees involvement of contractors, they should be audited in order to identify whether they are GDPR compliant or not. If the answer is negative then a company should cease any cooperation with such contractor. It works both ways though, so when you are acting as a contractor, companies may refuse to work with you in case you are not GDPR compliant.

Insurance of cyber-risks will allow to mitigate negative consequences in case of a data breach

In case the company isn’t ready to develop expertise in personal data protection but wants to comply with GDPR norms, it can employ external consultants or insure cyber-risks.

It’s very convenient, as in case of data breach all losses will be compensated. As a rule, foreign companies working on Ukrainian market insure cyber-risks, while among national entities such practice is uncommon.  

In the future companies taking care of technical part of the compliance as well as of mitigation of financial sanctions-related risks will emerge.

Blockchain will change to ensure the observance of the right to be forgotten

GDPR is in direct conflict with the blockchain technology as the later makes execution of the right to be forgotten impossible. In cryptocurrencies world, for instance, the hash-line of the user’s purse is unique. Once the link between the hash and the person is revealed one can get access to the history of all operations conducted with the purse and relate them to a concrete individual. Though, it’s applicable not only to cryptocurrencies: many countries have governmental programs of creating open data registers of citizens (cadasters).

Currently, the solutions to this issue are being identified. One of such solutions can be anonymization of transaction details through putting personal data outside blocks. In such case, a block will contain only the transaction key which will enable requests for detailed data stored on an external server, somewhere outside the blockchain. Though, it will create room for manipulations with data stored at such server.

Confirm compliance or leave the European market

Currently, GDPR isn’t restricted by standard operating procedures. Only after its entrance into the force, all mechanisms of the regulatory authorities operation will become clear. It will gradually lead to the creation of unified approaches to data protection and certification of companies compliant with modern standards on personal data protection. Now, the main task for all companies to any extent engaged in personal data collection and storage is to confirm their compliance with GDPR in order to be able to work on the EU territory.

Ekaterina Oleynik, adviser of the JSC “Arzinger”

Vitaliy Kuznetsov, IT-director of the JSC “Arzinger”