Contacts
Back
Img
7 August, 2025
Home - Blog - How to achieve GDPR Compliance 2025: requirements and actions for businesses in Ukraine

How to achieve GDPR Compliance 2025: requirements and actions for businesses in Ukraine

Запись не присвоена рубрике в текущей таксономии.
8 minutes

GDPR compliance is not a one-off project that can be “done and forgotten.” It is an ongoing process that is deeply integrated into your company’s daily activities. Achieving it means not only avoiding huge fines, but also building trust with customers and partners from the EU, which is key to the global market. This article offers a practical step-by-step plan designed specifically to implement effective GDPR compliance in Ukraine.

Section 1. Step 1: Data audit and risk assessment

Before building a house, an architect studies the site, analyses the soil and draws up a detailed plan. The same applies to GDPR compliance. You cannot implement rules and policies without thoroughly understanding what data you are working with. This first step — the audit — is the most important, although often the most laborious. Its purpose is to create a complete and honest picture of all personal data flows in your company.

1.1. Take stock: what personal data do you collect, for what purpose, where and for how long do you store it?

This is a fundamental task. You cannot protect something you don’t even know exists. Data inventory is the process of creating a detailed register of all personal data that “relates” to your business. The best way to do this is to create a simple table (in Excel or Google Sheets) and methodically fill it in, answering four key questions for each business process:

  1. What data do we collect?(What?)
    • Example for an online store: First name, last name, email address, phone number, delivery address, order history, IP address, cookies.
  2. Why do we collect them?(Why?)
    • Example: Name and address – to fulfil the contract (delivery of goods). Email address – to send transactional emails (order confirmation) and, by separate agreement, for marketing communications. IP address and cookie – for website analytics and security.
  3. Where do we store them?(Where?)
    • Example: Customer data – in a CRM system (e.g. Salesforce, servers in the US). Email addresses for mailings – in the Mailchimp service (servers in the USA). Website data – on Hetzner hosting (servers in Germany).
  4. How long do we store them?(How long?)
    • Example: Order data – for 3 years after the last purchase (to fulfil warranty obligations). Data for marketing mailings – until the user withdraws their consent. Data on job applicants who have been rejected – no longer than 6 months.

This exercise will immediately reveal any “blind spots” and show whether you are collecting unnecessary data that creates additional risks for you.

1.2. Determine the legal basis for processing each type of data

This is the heart of the legal part of the GDPR. You cannot process personal data “just because.” The regulation requires that you have one of six legal grounds for each action you take with the data. The most common ones for businesses are:

  • Consent: This is the most well-known, but not the only basis. Consent must be freely given, specific, informed and unambiguous. For example, to send a promotional newsletter, the user must tick the checkbox themselves. Pre-ticked checkboxes or “silent consent” are illegal.
  • Contract performance: If you process data for the performance of a contract with a customer, no separate consent is required. For example, when you transfer a customer’s address to a courier service for the delivery of goods.
  • Legal Obligation: When data processing is required by law. For example, storing financial documents and invoices for tax reporting purposes.
  • Legitimate Interest: This is the most flexible but also the most complex basis. You can process data if it is necessary for the legitimate interests of your company, provided that these interests do not override the rights and freedoms of individuals. Example: using IP addresses to prevent fraud and DDoS attacks on your website. Using this basis requires a special assessment (LIA – Legitimate Interest Assessment).

In your inventory table, you must clearly indicate the relevant legal basis opposite each processing purpose (from section 1.1).

1.3. Create a Data Flow Map

If inventory is a list of your data, then a flow chart is a visual diagram of its movement. It helps you understand how data enters your company, how it moves within it, and where it is transferred outside. It’s similar to a warehouse logistics diagram: you can see where the goods came from, where they are stored, and where they are sent.

A data flow diagram helps answer the following questions:

  • Where do we get our data from? (Forms on the website, mobile app, API integrations).
  • Which departments within the company have access to them? (Sales, marketing, technical support).
  • To which third parties (contractors, services) do we transfer data? (Payment systems, hosting providers, analytics services, CRM systems).
  • Is data transferred outside the European Economic Area (e.g. to the United States)? If so, on what grounds (this requires additional protective measures).

Creating such a map allows you to clearly see potential risks, especially at “transfer points” where data is passed on to third parties, and understand where security measures need to be strengthened.

1.4. Assess the need to appoint a Data Protection Officer (DPO)

Data Protection Officer (DPO), or Data Protection Inspector, is a special position in a company responsible for overseeing compliance with the GDPR. A common mistake is to assume that everyone needs a DPO. In fact, the Regulation requires its appointment in only three cases:

  1. If you are a state or municipal authority.
  2. If your main activity involves regular and systematic monitoring of people on a large scale (for example, you are a social network, mobile operator, or insurance company that analyses customer behaviour).
  3. If your main activity involves the large-scale processing of sensitive personal data (about health, racial origin, political views, biometrics).

For most Ukrainian online stores, small IT companies, or start-ups, appointing an official DPO is not mandatory. However, even if a DPO is not mandatory, it is good practice to appoint a responsible person within the company who will deal with GDPR issues. This could be a lawyer, the head of the IT department or another competent employee.

Section 2. Step 2: Development and implementation of documentation

Once you have conducted an audit and know exactly what data you are working with, it is time to formalise your processes. One of the key principles of the GDPR is accountability. You must not only comply with the rules, but also be ready to demonstrate this to the regulator or partners at any time. This is precisely why you need a set of internal and external documents that will serve as your “paper shield” and instructions for the entire team.

2.1. Create and publish a clear and comprehensive Privacy Policy on the website.

Privacy Policy – this is your main external document, the “face” of your GDPR compliance. It is not just a formal text that no one reads, but a public commitment to your customers and users. It should be written in simple and understandable language, without complex legal terminology, and easily accessible from any page of your website or application screen.

What a high-quality Privacy Policy must contain:

  • Who you are: Full name and contact details of your company (data controller).
  • What data do you collect: A clear list of categories of personal data (e.g., “contact details,” “technical data,” “usage data”).
  • Why you collect them: A detailed description of the purpose for each category of data (e.g., “to process orders,” “to send marketing messages,” “to improve the website”).
  • Legal basis: A legal basis (consent, contract, legitimate interest) must be specified for each purpose.
  • Who you share data with: A list of categories of third parties with whom data may be shared (courier services, payment systems, analytics services). If data is transferred outside the EU, you must specify the grounds for doing so (e.g., Standard Contractual Clauses).
  • How long do you retain data: Retention periods for different categories of data.
  • User rights: A detailed description of the data subject’s rights (to access, delete, etc.) and clear instructions on how a person can exercise them (for example, by writing to a special email address [email protected]).
  • Information about cookies: Link to a separate cookie policy or detailed description in this document.

Creating such a policy is a key element of GDPR for your company. It is your declaration of transparency.

2.2. Develop internal guidelines for employees on the handling of personal data.

Your external policy will not work if your employees do not know how to implement it. Every employee who has access to personal data (from sales managers to system administrators) must clearly understand the rules of the game. To this end, internal policies and instructions are developed.

These may include the following documents:

  • Data Protection Policy: A general document describing the company’s approach to GDPR, roles and responsibilities.
  • Clean desk and screen policy: Simple rules, such as locking your computer when leaving your workstation and not leaving printed documents containing personal data on your desk.
  • Rules for using work email and instant messengers: Prohibition on sending personal data via unsecured channels.
  • Instructions for the support department: How to correctly identify a customer before granting them access to data or making changes.
  • Access management policy: Which employees have access to which data and at what level (view only, edit, delete).

These documents should not be complicated or bureaucratic. Their purpose is to provide clear and practical guidance for day-to-day work.

2.3. Prepare response templates and procedures for responding to data subject requests.

The GDPR gives people the right to request access to their data, its deletion, correction, etc. And you only have one month to respond to such a request. If you have to figure out how to respond from scratch each time, you risk missing the deadline.

Therefore, it is necessary to develop clear internal procedures and templates in advance:

  1. Channel for requests: Define a single point of entry for such requests (e.g., email [email protected]).
  2. Identification procedure: How can you verify that the request came from the person whose data it concerns, and not from a fraudster? (For example, ask them to confirm the email address or phone number you have in your database).
  3. Action algorithm: Who in the company is responsible for receiving requests, who searches for data in the systems, who formulates responses, and who monitors deadlines?
  4. Response templates: Prepare ready-made templates for the most common requests: “Here is your data…”, “Your data has been successfully deleted…”, “We cannot delete your data because we need it to fulfil our legal obligations (account storage)”, etc.

Having such a system in place will enable you to respond to requests quickly, professionally and without panic.

2.4. Create and test a Data Breach Response Plan

This is one of the most important documents that is often overlooked. The question is not “will a data breach occur,” but “when will it occur.” Even the largest companies experience incidents. And GDPR requires you to be prepared for them. You are required to notify the supervisory authority of a breach within 72 hours of becoming aware of it.

A data breach response plan is your step-by-step guide in case of a crisis. It should include:

  • Defining roles: Who is on the response team (manager, lawyer, IT specialist, PR manager)? Who makes key decisions?
  • Response stages:
    1. Identification and assessment: How to record the fact of a leak and assess its scale (how many people were affected, what data was leaked).
    2. Containment: How to immediately stop the leak (e.g., block access, patch the vulnerability).
    3. Notification: Who to notify, when and how (supervisory authority, affected customers).
    4. Analysis and conclusions: How to investigate the causes and what to do to prevent this from happening again.

The most important thing is that this plan should not just be written down and put in a drawer, but regularly tested (for example, by simulating a leak) so that everyone in the team knows what to do. This is what practical implementation of GDPR looks like.

Section 3. Step 3: Technical and organisational measures

While the previous two steps focused on analysis and creating a “paper” foundation, the third step is putting your policies into practice. These are practical actions aimed at real data protection and raising awareness within the team. It is at this stage that legal requirements are transformed into specific settings in systems, clauses in contracts, and training sessions for employees.

3.1. Ensure technical protection: encryption, pseudonymisation, access control

This is the foundation of data security. You can have perfect policies, but if your data is stored openly on an unprotected server, it is easy prey for attackers. GDPR requires companies to implement “appropriate technical measures.” The specific set depends on the level of risk, but the basic “gentleman’s set” includes:

  • Encryption:
    • Encryption during transmission: Using SSL/TLS certificates (HTTPS protocol) on your website is an absolute minimum. This protects the data that users enter into forms during transmission from the browser to the server.
    • Encryption during storage: Data in the database and files on the server must also be encrypted. This ensures that even if someone gets physical access to the disk, they won’t be able to read the info.
  • Pseudonymisation: This is a data processing technique in which personal data is replaced with pseudonyms (e.g., user_12345 instead of Ivan Petrenko). This allows user behaviour to be analysed without working with their direct identifiers, which significantly reduces risks.
  • Access Control: Not all employees need access to all data. Implement the principle of least privilege: each employee should only have access to the information that is absolutely necessary for the performance of their job duties. A sales manager should not be able to see user passwords, and a marketer should not be able to see their payment details.

In addition, technical measures include regular software updates, the use of firewalls, antivirus protection, and security audits (penetration tests).

3.2. Implement the principles of “Privacy by Default” and “Privacy by Design”

These two principles, which we have already mentioned in the context of IT development, are essential for any business that creates or uses technology.

  • Privacy by Design means that you must consider data protection at every stage of your product or service lifecycle. Before launching a new feature, marketing campaign, or integration with a new service, you should conduct a Data Protection Impact Assessment (DPIA). This is a process in which you analyse the privacy risks of a new initiative and how they can be minimised.
  • Privacy by Default requires that the settings of any system be as private as possible by default. For example, in a registration form, the “Subscribe to our newsletter” checkbox should be unchecked. The user must take active steps to agree to receive advertising. In the user’s profile settings, the visibility of their data to others should be set to “only me” rather than “everyone.”

Implementing these principles shows that your company respects the privacy of its customers and does not attempt to deceive them into providing more data than is necessary.

3.3. Review contracts with contractors and sign Data Processing Agreements (DPAs) with them.

Your responsibility for data does not end at the boundaries of your company. If you transfer personal data to third parties (processors), you are fully responsible for their actions. Such processors include:

  • Hosting providers
  • Cloud storage services (AWS, Google Cloud)
  • CRM systems
  • Email marketing services (Mailchimp, SendGrid)
  • Analytics services (Google Analytics)
  • Outsourced accounting and legal companies.

The GDPR requires that your relationship with each such processor be formalised in a special document – a Data Processing Agreement (DPA). This is a legally binding contract in which the processor guarantees that it will process data in accordance with GDPR requirements, ensure an adequate level of security, notify you of any breaches, and assist in responding to data subject requests. Most large international services have ready-made DPA templates that you simply need to accept. With smaller contractors, you may need to develop such a document individually. It is also important to check whether your contractor uses third-party services, as this may affect software licensing and overall security.

3.4. Train your staff to raise awareness of GDPR requirements.

The weakest link in any security system is the human factor. You may have the most advanced technical security measures in place, but if your employee clicks on a phishing link and leaks their login details, all your efforts will be in vain. Therefore, staff training is a critically important organisational measure.

Training should be regular (at least once a year) and cover the following topics:

  • What is personal data and why is it important to protect it?
  • The main principles of the GDPR and the company’s internal policies.
  • Rules for safe data handling (do not use public Wi-Fi to work with confidential information, create complex passwords, etc.).
  • How to recognise phishing attacks and other social engineering threats.
  • What to do if you detect suspicious activity or a potential data breach.

Training not only reduces the risk of human error, but also fosters a culture of respect for confidentiality within the company. Every employee must be aware that they are personally responsible for the data they work with.

Conclusions

Achieving GDPR Compliance is not just a matter of fulfilling formal requirements, but rather a systematic effort that requires the deep involvement of both your company’s legal and technical departments. From detailed data audits to regular employee training, each step of this plan brings your company closer to the highest standards of transparency and security.

Remember that in today’s world, the answer to the question of how to comply with GDPR is not only proof of your compliance with the law, but also a powerful competitive advantage. It demonstrates your respect for your customers, increases their trust, and opens the door to the global market. In addition to data protection, it is also important for IT companies to understand the legal aspects of using third-party components. You can read more about this in our article “Software licensing: types and legal aspects.

Does GDPR replace the Ukrainian Law "On Personal Data Protection"? Which law should I adhere to in the first place?

No, the GDPR does not replace Ukrainian law, but operates in parallel with it. You are required to comply with both.

  • The Ukrainian law “On the Protection of Personal Data” applies to the processing of data of all persons on the territory of Ukraine, including Ukrainians.
  • The GDPR adds another, more stringent level of requirements that applies when you process data of individuals located within the EU.

 

Practical rule: If you work with both Ukrainians and EU clients, you need to set up your processes so that they comply with the strictest requirements of both laws. Since the GDPR is significantly more detailed and stringent, a company that complies with the GDPR will, in 99% of cases, automatically comply with Ukrainian legislation.

I am a small online shop / FLP. I don't have the resources for DPO and complex audits. What is the absolute minimum I should do to start working with EU clients?

You don’t have to implement all the procedures at the level of a large corporation right away. Here is “minimum viable compliance” to get you started:

  1. Transparent Privacy Policy: Create a clear policy on your website that honestly describes what data you collect, why you collect it, and how long you keep it. This is your most important document.
  2. Legal cookie banner: Install a banner where analytical and marketing cookies are disabled by default. The user must tick the box themselves to enable them.
  3. Secure website (HTTPS): An SSL certificate is an absolute necessity for encrypting data transmitted through your website.
  4. Use GDPR-compliant services: Ensure that your contractors (hosting, Mailchimp, payment system) comply with GDPR and accept their Data Processing Agreements (DPA).
  5. Create an email address for requests: Have a separate email address (e.g., [email protected]) where users can send requests regarding their data, and respond to them.

These five steps cover the most critical and visible requirements for the user.

An EU client demands that all his data be deleted ("right to be forgotten"), but I still have his invoices for the tax office. What to do?

The “right to be forgotten” is not absolute. Your obligation to comply with legal requirements (e.g., tax law) is stronger than the customer’s right to deletion.

The correct algorithm of actions:

  1. Delete what you can: Delete the customer’s profile from your CRM system, their data from marketing mailings, their technical support history, etc.
  2. Keep what you are required to keep: Keep financial documents (invoices, transaction data) that you are required to keep in accordance with the Tax Code of Ukraine (usually for 3 years).

Inform the customer: Send the customer a reply confirming that their basic data has been deleted. At the same time, clearly explain that certain information (e.g. invoices) will be stored for the period specified by law for financial reporting purposes and will be deleted after that period has expired.

Do the GDPR requirements apply to my own employees if they are EU citizens and work remotely?

Yes, absolutely. The GDPR protects the data of all individuals in the EU, and your employees are no exception. The processing of their data must comply with all the principles of the Regulation.

  • Legal basis: The main basis for processing employee data is the employment contract and legal obligations (e.g. payment of taxes).
  • What this means in practice: You must ensure the confidentiality of their personal files, salary information, holiday and sick leave data. For example, you cannot install software to monitor activity on their work computers without notifying them and without having legal grounds for doing so.

I have an old email address database of EU customers, collected a few years ago without explicit marketing consent. Can I start mailing to it now?

No, that is very risky. The GDPR requires that consent for marketing be specific, informed and unambiguous (i.e., the person must clearly understand that they are signing up for promotional emails). Data collected on the basis of “silent consent” or with vague wording does not meet these requirements.

What should you do?
The best and safest option is to conduct a “re-permission campaign”. Send a single email to this old database explaining the situation and asking users to actively confirm their subscription by clicking on a link. Those who ignore the email or do not confirm their consent should be removed from your marketing database. This will allow you to create a “clean”, GDPR-compliant database for future mailings.

Resources
Rating

0 / 5. 0

Leave a Reply

Your email address will not be published.

*

Related services

Icon
Telecom, Technology, and Media Law services
offers comprehensive legal services for businesses operating in the dynamic and rapidly evolving world of technology, telecommunications, and media
Learn more
Icon
IP Due Diligence
offers auditing the intellectual property assets of a company or individual
Learn more
Icon
Developing strategies for protecting the intellectual property
involves developing tailored strategies for protecting the intellectual property of our clients
Learn more
You may be interested
Read Blog
UKRAINE ENDS SPECIAL WARTIME IP RULES — DEADLINES RESUME
Anton Polikarpov | 17 April, 2025
UKRAINE ENDS SPECIAL WARTIME IP RULES — DEADLINES RESUME
Insights
5 minutes

On April 16, 2025, the Ukrainian Parliament adopted a law cancelling the previously effective Law of Ukraine “On the Protection of Interests of Persons in the Field of Intellectual Property during Martial Law Imposed due to the Armed Aggression of the Russian Federation against Ukraine”, enacted on April 1, 2022. The new law will enter […]
Non-Use of Trademarks in Ukraine: Key FAQs Answered
Anton Polikarpov | 27 August, 2024
Non-Use of Trademarks in Ukraine: Key FAQs Answered
Insights
5 minutes

As in most countries, Ukrainian law provides for the grounds for termination of a trademark certificate due to non-use. At the same time, the application of this provision has a lot of nuances that our clients often ask about. In this article, we have decided to briefly describe the procedure itself, as well as to […]
Conference “Defence Tech: Legal Challenges for the Industry” held in Kyiv
Anton Polikarpov | 31 July, 2024
Conference “Defence Tech: Legal Challenges for the Industry” held in Kyiv
Insights
3 minutes

On 10.07.2024, Kyiv hosted the conference “Defence Tech: Legal Challenges for the Industry“, organized jointly by Polikarpov Law Firm and AVELLUM. The event brought together company founders, investors and corporate lawyers to discuss current legal challenges and solutions for the development and scaling of the defence technology sector in Ukraine. We addressed Critical legal issues […]
Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    Image
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Necessary

    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.

    Marketing

    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.

    Personalization

    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.

    Analytics

    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.