GDPR for business and IT in Ukraine

The General Data Protection Regulation, better known as GDPR, has long ceased to be something abstract for Ukrainian businesses. If your company works with customers or users from the European Union – selling goods, providing online services, or developing applications – then GDPR requirements in Ukraine affect you directly. No matter how you look for it, GPDR or GDPR, ignoring this regulation in 2025 is a path to huge fines and loss of trust. This article is your in-depth guide explaining how the regulation affects business and IT and how to properly implement its provisions.

Section 1: What is GDPR and who does it affect in Ukraine?

In today’s digital world, data is the new oil. And like any valuable resource, it needs reliable protection. GDPR was created precisely for this purpose. For many Ukrainian entrepreneurs, this regulation still seems something complex and distant, concerning only large European corporations. This is a dangerous misconception. Let’s understand what this “beast” is and why it is directly relevant to your business.

1.1 General definition of GDPR: what it is and its main purpose – personal data protection

GDPR ( General Data Protection Regulation) or General Data Protection Regulation is a set of rules adopted by the European Union in 2018. In simple terms, GDPR is the strictest and most comprehensive data privacy and security law in the world. Its main goal is to give citizens back control over their personal data and harmonise the rules for processing it across the EU.

What is personal data in terms of GDPR? It is any information that allows you to directly or indirectly identify a living person (data subject). This is not just first name, surname and passport number. This list includes:

• Email address (e.g., [email protected])
• Phone number
• IP address
• Location data (geolocation)
• Cookie identifiers
• Photos and videos
• Biometric and medical data
• Even information about political opinions, religious beliefs or sexual orientation.

GDPR sets clear and strict rules for any organisation that collects, stores, processes, transfers or analyses such data. It requires companies to be transparent in their actions, collect data only when there is a legitimate reason to do so, minimise its volume and securely protect it. Violations of these rules are punishable by huge fines that can reach up to 20 million euros or 4% of a company’s annual global turnover.

1.2 The territorial principle of validity: why Ukrainian companies processing data of EU residents are subject to the regulation

And now the most important thing for us. GDPR is extraterritorial. This means that its requirements apply not depending on where your company is registered, but on whose data you process. If your company, physically located in Kiev, Lviv or Odessa, somehow interacts with personal data of people located in the European Union, you are automatically subject to GDPR.

Here are some typical examples of when a Ukrainian company is required to comply with GDPR:

• E-commerce: Your online shop sells goods to customers from Poland, Germany or Italy. You collect their names, shipping addresses, emails, phone numbers.
• IT outsourcing and outstaffing: You develop software for a European customer and have access to their customer databases in the process.
• SaaS products: Your online service (CRM, education platform, photo editor) is used by people from EU countries.
• Hotel and tourism business: Your hotel in the Carpathians is booked by tourists from France through your website.
• Marketing and advertising: You set up targeted advertising to EU audiences or make an email newsletter to a database with European addresses.
• Mobile apps and games: If your app is available on the App Store or Google Play for EU users and it collects any data (even advertising identifiers), you are subject to GDPR.

So, if your business is in any way geared towards the European market, the question “Does GDPR affect me?” is rhetorical. The answer is yes, it does.

1.3 To understand the requirements correctly, it is important to understand the key terminology of the regulation

In order to navigate the requirements of GDPR, you need to be familiar with its basic terminology. These are not just legal formalities, but key concepts that define roles and responsibilities. After all, to effectively protect personal data, you need to clearly understand who is who in the process.

For example, the regulations distinguish between a “controller” and a “processor” of data. A Controller is someone who defines the purpose and means of data processing (e.g. the owner of an online shop). The Processor is the one who processes the data on behalf of the Controller (e.g. a cloud service that stores the shop’s database or a marketing agency that does the mailing). Their duties and level of responsibility are significantly different.

In order not to overload this article, we have put a detailed analysis of all the main concepts in a separate material. We strongly recommend that you familiarise yourself with it so that you can speak the same language with lawyers and developers. Read more about it in our article “Key GDPR terms and principles: in plain language”.

Section 2: GDPR Key Principles and Requirements for Businesses

GDPR compliance is more than just ticking the ‘I agree’ box on your website. It’s about reshaping your company’s internal processes based on fundamental principles of respect for privacy. The Regulation sets out seven key principles that are the basis for any action with personal data, and provides data subjects with clear rights that you, as a business, are obliged to ensure.

2.1 The seven core principles of data processing

These seven principles are a kind of “constitution” of the GDPR. Any processing of personal data in your company must comply with each of them. Let’s review them in simple terms:

1. Legality, fairness and transparency. You should only process data where there is a lawful basis (e.g. customer consent, fulfilment of a contract). Processing must be fair and the customer must clearly understand what data you are collecting, for what purpose and for how long. No hidden processes.
2. Purpose limitation. You can only collect data for specific, clearly defined and legitimate purposes. You cannot collect data to register for a webinar and then use it to analyse creditworthiness.
3. Data minimisation. You should only collect as much data as is absolutely necessary to fulfil the stated purpose. If you need a name, address and telephone number to deliver a product, you may not ask for date of birth or marital status.
4. Accuracy. You have a duty to ensure that the personal data you hold is accurate and up to date. If you become aware that the data is inaccurate, you must correct or delete it.
5. Storage Limitations. Personal data cannot be kept forever. They should be kept in a form that allows for personal identification for no longer than is necessary to fulfil the purpose for which they were collected. For example, the data of a candidate who has been rejected for a vacancy should be deleted after a reasonable period of time, rather than kept for years ‘just in case’.
6. Integrity and confidentiality. You must take appropriate technical and organisational measures to protect data from unauthorised access, destruction, loss or damage. This includes encryption, access controls, regular security audits.
7. Accountability. This is the most important principle. It’s not enough to simply comply with the rules – you must be able to demonstrate your compliance. This means maintaining internal documentation such as privacy policies, registers of data processing operations, data protection impact assessments (DPIAs), etc.

2.2 Data subject rights you are obliged to ensure

The GDPR gives people (data subjects) eight fundamental rights in relation to their information. Your company should have clear and understandable procedures for realising each of these rights.

• Right to be informed: People have the right to know who is processing their data, why and how. This is realised through your Privacy Policy.
• Right of access: any of your customers or users can submit a request and receive a copy of all personal data you hold about them.
• The right to rectification: if an individual finds that their data in your system is inaccurate or incomplete, they have the right to request that it be corrected.
• The right to erasure (“right to be forgotten”): this is one of the best known rights. An individual can request the complete erasure of their data if it is no longer needed for its original purpose or if they have withdrawn their consent to its processing.
• Right to restriction of processing: in certain situations (e.g. while the accuracy of the data is being verified), the individual can “freeze” the processing of their data.
• The right to data portability: a person has the right to receive their data from you in a structured, machine-readable format and transfer it to another service provider (for example, exporting playlists from one music service to another).
• Right to object: a person can object at any time to the processing of their data for direct marketing purposes.
• Rights regarding automated decision-making and profiling: the individual has the right not to be subject to decisions based solely on automated processing (e.g. automatic refusal of credit) if this has significant consequences for them.

2.3 Implementing these requirements is a complex process

Understanding the principles and rights is only the first step. Putting them into practice requires a systematic approach involving the legal, technical and organisational levels of your company. You need to audit your data, develop internal policies, train your staff, update your contracts with contractors, and perhaps even change your software architecture.

Implementing these requirements is a complex process, and companies need a clear step-by-step action plan to ensure they don’t miss anything.We tell you more about how to achieve GDPR Compliance in our special article “GDPR Compliance: a step-by-step plan for Ukrainian companies”. Familiarising yourself with it will help you to structure this complex process and confidently move towards full compliance with the regulation.

Section 3: Specifics of GDPR for IT companies and developers

If GDPR for business in general is about rules and processes, then for the IT sphere it is also about architecture and code. Developers, architects and owners of IT products are responsible for the technical implementation of the requirements of the regulation. Ignoring these requirements at the development stage can lead to the need for costly and complex redesign of the entire product in the future.

3.1. Privacy by Design and Privacy by Default concepts: how to build in privacy principles at the product development stage

GDPR introduces two revolutionary principles that completely change the approach to software and online services development. These are not just recommendations, but mandatory requirements.

• Privacy by Design:This principle requires that data protection and privacy be integrated into the product from the very beginning, at the design stage, rather than being added as a last-minute crutch. This means that when developing any new feature (such as a registration form, comment system, or analytics collection), the team should ask themselves the following questions:
  • What data will we collect? Do we really need all this data (the principle of minimisation)?
  • How will we protect them? (encryption, password hashing, protection against SQL injections).
  • How will we ensure user rights? (For example, the ability to easily delete your account along with all data).
  • How will we manage data retention periods?
• Privacy by Default: This principle means that the privacy settings in your product should be as strict as possible by default. The user shouldn’t have to look for ways to disable data collection in the settings. On the contrary, any data collection that is not absolutely necessary for the operation of the service should be disabled. The user must take an active action (tick a box) to enable it. A classic example is banner cookies. By default, only technically necessary cookies should be enabled, while analytical and marketing cookies should be disabled unless the user explicitly agrees to them.

These two principles make IT companies think of privacy not as a legal formality, but as an integral part of user experience (UX) and product quality.

3.2 In addition to protecting user data, it is critical for developers to protect their own intellectual property

While working on GDPR compliance, IT companies often focus so much on protecting other people’s (user) data that they forget about protecting their most valuable asset – their own intellectual property. Your software code, your unique interface design, your database architecture, the content on your website – all of these are subject to copyright.

While you are developing a GDPR-compliant product, an unscrupulous competitor or former employee can simply copy your code or design and launch a “clone” of your service. Therefore, in parallel with GDPR implementation, it is necessary to build a strategy to protect your IT assets. This includes proper labour relations with developers, registration of copyrights for key elements of the product, and implementation of technical means of protection. For more information on how to do this, see our guide dedicated to this very topic: “Copyright for software code and online content: protection for developers”.

3.3 Legal purity of IT products depends not only on GDPR, but also on the correct use of third-party components

Modern software development is impossible without the use of third-party libraries, frameworks and open source (Open Source) components. This significantly speeds up and reduces the cost of development. However, each such component is distributed under a specific licence (MIT, Apache, GPL, BSD, etc.), which imposes certain obligations on you.

Improper use of Open Source can lead to serious legal problems:

• Some licences (such as the GPL) are “viral” and require that your entire product using such a component must also be open under the same licence. This can completely destroy the commercial value of your proprietary software.
• Other licences require attribution, storing the licence text in the product files and the like.

The legal “cleanliness” of your IT product is not only GDPR compliance, but also compliance with the terms of all licences for third-party components you use. Conducting a licence audit is just as important as a GDPR audit. To understand this complex issue, we recommend reading our article on software licensing, which details the types of software licences and their legal implications.

Conclusions

GDPR compliance in 2025 for Ukrainian business is no longer an option, but a necessity. It is not just a legal formality, but a fundamental sign of reliability, respect for the client and a significant competitive advantage in the international market. The implementation of GDPR regulations is a continuous process that requires constant attention to legal aspects, competent technical implementation and building a culture of privacy within the company.

For the IT sector, the challenge is even deeper, as it requires protecting not only customers’ personal data, but also their own intellectual property. Only an integrated approach that combines GDPR compliance, copyright protection and proper licensing can ensure that your product is truly legally clean and safe in today’s digital world.