Since May 25, 2018, the General Data Protection Regulation will come into force, which will raise protection of the personal data of residents and citizens of the EU to a new qualitative level. But Ukrainian companies should not relax, as GDPR has an extraterritorial effect and applies to all foreign organizations that offer goods and services to the EU residents.
The direction of such services can be evidenced, for example, by the language of a website, the currency of payment or the use of national domains of the EU countries. Therefore, if an EU citizen, for example, is registered in a Ukrainian online store that falls under such criteria, such a store is already becoming subject to the Regulation.
Therefore, a representative of a business that deals with data of the EU residents should take care of their safety in advance. The Regulation recommends the use of all necessary methods, including encryption; and also be careful when choosing a ‘processor’ (data handler, such as databases or cloud storage).
The innovations include: the right to be forgotten, which allows you to delete your personal data on request in order to avoid their distribution and the right to data portability, i.e. companies are required to provide free of charge an electronic copy of the personal data of another company at the request of the subject of personal data.
It is necessary to pay attention to the need for a Representative in the EU, if neither the recipient nor the data processor are in the EU. The requirement will apply to all companies, including the Ukrainian ones, who on ongoing basis deal with personal data of the EU residents.
What is the most interesting, are pretty impressive fines, which reach 20 million euros or 4% of the annual global revenue of a company. Such a strict liability will be imposed taking into account the depth and scale of the violation.
Since the GDPR has not yet entered into force, at this point there is no law enforcement practice. But it can already be said that bringing by a Ukrainian partner of its activities to the high requirements of the GDPR will increase trust of foreign customers and will provide an opportunity to protect themselves from undesirable consequences.