28 June, 2024

Personal data protection: a guide for responsible business in Ukraine

8 minutes

Success in modern business is increasingly dependent on trust, and trust is built on responsible data management. This is especially true when it comes to customers’ personal data.  Ignoring the rules of the game in the field of data privacy can lead to serious consequences, while understanding and implementing appropriate measures opens up new opportunities. This article will help you to understand the key aspects of data protection in Ukraine and adapt your business to modern requirements.

Why is personal data protection a necessity, not a formality?

Responsibility for the privacy and confidentiality of customer data goes far beyond a simple check mark on a consent form. Processing personal data has long been an integral part of most companies’ operations, but is it always done in compliance with all the necessary regulations and standards? Unfortunately, many businesses still treat data protection issues as a formality, not realizing the potential risks and threats that lie behind a negligent attitude in this area.

Responsibility for customer data: What are the risks of ignoring data protection legislation and what consequences can be expected for businesses?

In Ukraine, personal data protection issues are regulated by the Law of Ukraine “On Personal Data Protection”, as well as a number of other legal acts. These documents establish clear requirements for the collection, processing, storage and use of information about individuals. Ignoring these requirements can lead to serious consequences for businesses, including:

  • Administrative liability: violation of the legislation on personal data protection may result in significant fines for the company and its officials. The amount of fines depends on the severity of the violation and can reach hundreds of thousands of hryvnias.
  • Criminal liability: In some cases, for example, when confidential information is unlawfully collected, disclosed or used, criminal liability may also arise. This carries even more serious consequences, including imprisonment.
  • Material damages: The leakage or unlawful use of personal data may result in lawsuits by affected individuals. The company may be obliged to pay substantial compensation for the damage caused, which will result in significant financial losses.

In addition to the immediate consequences associated with the law, ignoring data protection rules can lead to

  • Loss of reputation: news of a data breach spreads quickly, causing irreparable damage to the company’s reputation. Loss of trust from customers can lead to lower sales, refusal of partners to cooperate, and other negative consequences.
  • Problems with international business partnerships: The issue of data protection is particularly relevant for companies that cooperate with European partners or plan to enter the European market. The European Union has very strict data protection legislation (GDPR), and non-compliance with it can lead to serious sanctions, including a ban on doing business in the EU.

It is worth remembering that what are the fines for violating the GDPR? It’s much more important to realize that personal data protection is not just a legal requirement, but a matter of ethics and respect for your customers.

Reputational and financial risks: how data leakage or misuse can damage a company’s reputation and lead to financial losses.

In today’s world, where information travels at the speed of light, a company’s reputation is one of its most valuable assets. And this reputation directly depends on how carefully a business treats the confidentiality of its customers’ data. Leakage or misuse of personal data can cause irreparable damage to the company’s image, which will inevitably lead to financial losses.

Reputational risks:

  • Loss of credibility: news of a data breach from a particular company instantly undermines the trust in it from customers, partners, and investors. People begin to doubt the company’s reliability, competence, and ability to keep their information safe.
  • Negative media coverage: Data breaches often become sensational news stories that attract the attention of journalists and bloggers. Negative media coverage can tarnish a company’s reputation for a long time, even if the incident was successfully resolved.
  • Reduced customer loyalty: Customers who have lost trust in a company due to a data breach are likely to switch to competitors. They may also share their negative experiences with other people, which will further damage the company’s reputation.

Financial risks:

  • Decreased sales: Loss of customer confidence directly affects sales. People are less likely to buy goods and services from a company that cannot guarantee the security of their information.
  • Costs of eliminating the consequences of a data breach: A company faced with a data breach may have to spend significant funds to investigate the incident, remediate security vulnerabilities, notify customers, and restore its reputation.
  • Fines and lawsuits: As mentioned earlier, violations of personal data protection laws can result in significant fines and lawsuits from affected individuals.

It is important to understand that ignoring information security and cybersecurity issues is playing with fire. The consequences of a data breach can be so serious that a company may simply not recover from them. Therefore, investing in a reliable data protection system is not an expense, but an investment in the future of the business.


GDPR and its impact on Ukrainian business

Although Ukraine is not yet a member of the European Union, the GDPR is no longer an empty word in Ukraine. The introduction of the new GDPR rules has significantly changed the rules of the game in the field of personal data protection, and Ukrainian businesses are increasingly having to reckon with this regulation. But does the GDPR really affect me?” you may ask. The answer is unequivocal: yes, it does, and here’s why.

The key requirements of the GDPR for business: an overview of the main provisions of the regulation that Ukrainian companies should pay attention to.

The GDPR, or General Data Protection Regulation, establishes uniform rules for the processing of personal data of EU citizens. Although Ukraine is not a member of the EU, the GDPR is directly relevant to Ukrainian companies that:

  • Work with EU customers: if you provide goods or services to EU citizens or collect and process their personal data in any other way, you are required to comply with the GDPR, regardless of where your business is located.
  • If you are planning to enter the European market: compliance with the GDPR is a prerequisite for successful business in the EU. If you are planning to expand your operations to the European market, you need to take care of bringing your business processes into compliance with this regulation in advance.

Here are some of the key GDPR requirements that Ukrainian companies should pay attention to:

  • Lawfulness, fairness and transparency: you can only collect and process personal data if you have a lawful basis (e.g., consent of the data subject, performance of a contract) and must inform people about what data you collect, how you use it and what rights they have in relation to their data.
  • Data minimization: you may collect and process only the personal data that is truly necessary to achieve the stated purpose. It is forbidden to collect unnecessary information.
  • Accuracy: You must ensure that the personal data you hold is accurate and up-to-date. You should take steps to correct or delete inaccurate or outdated data.
  • Retention periods: You may only retain personal data for as long as is necessary to fulfill the purpose for which it was collected. After this period, the data must be securely destroyed.
  • Integrity and confidentiality: You must ensure that personal data is kept secure from unauthorized access, use, disclosure, alteration or destruction. This means implementing appropriate technical and organizational security measures.

It is important to understand what personal data is. In the context of the GDPR, it is any information that relates to an identified or identifiable natural person (“data subject”). This can be a name, email address, phone number, IP address, medical information, and much more.

GDPR compliance is not just a legal obligation, but an investment in customer trust and business stability.

Adaptation to European standards: Practical steps to implement the GDPR in the activities of Ukrainian companies.

Implementing the GDPR requirements may seem like a complex and costly task, especially for small and medium-sized businesses. However, it is a necessary step for companies that want to ensure the security of their customers’ data and avoid potential problems in the future.

Here are some practical steps to help Ukrainian companies adapt to European data protection standards:

  1. Conduct a data audit: Before implementing any changes, you need to understand what personal data you collect, how you process, store, and use it. This will help you determine which aspects of your business need to be improved.
  2. Develop a privacy policy: your  privacy policy should be clear, understandable and accessible to data subjects. It should contain information about what data you collect, for what purpose, on what grounds, how you protect it, what rights data subjects have, etc.
  3. Obtain clear consent to data processing: In most cases, you will need to obtain clear, unambiguous and informed consent from the data subject to process their personal data. Consent should be voluntary and the data subject should be able to withdraw it at any time.
  4. Ensure data security: Implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration or destruction. This may include data encryption, password protection, two-factor authentication, regular backups, and more.
  5. Train your employees: Make sure your employees are aware of the GDPR and understand the importance of protecting personal data. Conduct regular trainings and briefings to raise their awareness.
  6. Collaborate with experts: If you are not sure how to implement GDPR requirements in your company, contact lawyers and consultants who specialize in personal data protection. They will help you develop and implement an effective data protection strategy tailored to your business.

Remember that adapting to the GDPR is not a one-time event, but an ongoing process. You need to regularly review and update your data protection processes to ensure that they are compliant with current legislation and best practices.

Creating a reliable data protection system in your company

You already know how important data protection is in modern business and the consequences of ignoring it. Now it’s time to move from theory to practice and consider how to build a reliable data protection system in your company. After all, how to protect personal data in practice is a question that worries many entrepreneurs.

Developing an effective privacy policy: How to create transparent and understandable data processing rules.

A privacy policy is not just a formal document, but an important element of a robust data protection system. It demonstrates to your customers and partners that you take privacy issues seriously and are committed to keeping their information secure.

An effective privacy policy should be:

  • Clear and accessible: Avoid legalese and complex terminology. The text of the policy should be written in simple and understandable language that is accessible to a wide audience.
  • Complete and informative: Provide all the necessary information about what personal data you collect, for what purpose, on what grounds, how long you will keep it, to whom you may transfer it, etc.
  • Relevant to your business: don’t blindly copy other companies’ privacy policies. Your document should reflect the specifics of your business and the data processing processes you carry out.
  • Make it accessible: Place the privacy policy on your website in an accessible place (for example, in the basement of the site or on a separate page). Make sure that customers can easily find and read it.

What the privacy policy should contain:

  1. General statement: Include your company name, contact information, the purpose of the privacy policy, and its scope.
  2. What data you collect: list the types of personal data you collect (e.g., name, email address, phone number, IP address, etc.).
  3. For what purpose do you collect the data: clearly state why you collect personal data (e.g., to process orders, provide services, marketing purposes, etc.).
  4. On what grounds do you process the data: state the legal grounds for processing personal data (e.g., consent of the data subject, performance of a contract, legitimate interests of the company).
  5. How you protect data: describe what technical and organizational measures you take to ensure the security of personal data.
  6. To whom you may transfer data: indicate whether you transfer personal data to third parties (e.g., contractors, partners) and, if so, under what conditions.
  7. What rights do data subjects have: Inform data subjects about their rights regarding their personal data, such as the right to access data, the right to rectify data, the right to erasure (“right to be forgotten”), etc.

Don’t forget to regularly review and update your privacy policy to ensure that it is in line with changes in your business and applicable laws.

If you have any difficulties with creating a privacy policy, contact a lawyer specializing in personal data protection. They will help you develop a document that meets all the necessary requirements and protects the interests of your business.


Professional assistance in the field of data protection: The benefits of working with law firms and consultants specializing in personal data protection.

Creating and implementing an effective data protection system is a complex and multifaceted process that requires in-depth knowledge of legislation, information technology, and risk management.

While many companies try to handle this task on their own, more and more businesses are turning to professionals for personal data protection services.

Why it is reasonable:

  • Comprehensive approach: law firms and consultants specializing in personal data protection provide a comprehensive approach to GDPR-related tasks. They can help you:
    • Conduct a data audit: determine what personal data you process, for what purpose, on what grounds, and how you protect it.
    • Develop documentation: create or update all necessary data protection documentation, including privacy policies, data processing statements, consent forms, etc.
    • Implement technical and organizational measures: help you select and implement the most effective technical and organizational measures to ensure the security of personal data.
    • Train your staff: Provide training for your employees on the GDPR and your internal data processing policies.
    • Provide ongoing support: Provide you with data protection advice and support on an ongoing basis.
  • Minimize risks: Data protection professionals have the necessary experience and knowledge to identify and assess potential risks associated with the processing of personal data. They can help you take steps to minimize these risks and avoid potential fines and penalties.
  • Save time and resources: Cooperation with experts will allow you to focus on the core business activities of your business without being distracted by studying complex legal regulations and implementing technical solutions.
  • Access to up-to-date information: Data protection legislation is constantly changing. Law firms and consultants keep abreast of these changes and are always ready to provide you with up-to-date information and advice.

How to choose a reliable partner:

When choosing a law firm or a consultant for legal assistance in the field of personal data protection, pay attention to

  • Experience and reputation of the company: choose a company that has a positive reputation and experience of working with companies of your profile.
  • Qualifications of specialists: make sure that the company employs lawyers and consultants who have the necessary qualifications and experience in the field of personal data protection.
  • Cost of services: Get commercial offers from several companies and compare them in terms of price-quality ratio.

Remember that personal data protection advice from experienced professionals is an investment in the stable future of your business. Professional assistance will help you avoid many problems and focus on developing your business.


In today’s business environment, where personal data protection in Ukraine is becoming increasingly important, ignoring data privacy issues is unacceptable.  Implementation of European standards, including GDPR compliance, is becoming a necessity for companies seeking to ensure long-term success.  Don’t hesitate to seek legal advice on personal data protection in Ukraine to protect your business and maintain customer confidence.  Remember that reliable data protection is not a cost, but an investment in a successful future.

What are some common myths about GDPR that could put my business at risk?

The GDPR is a powerful tool for protecting personal data, but there are many myths and misinterpretations surrounding it. Failure to understand these aspects can lead to serious risks for your business, including fines, lawsuits, and loss of reputation. Let’s take a look at some of the most common myths about the GDPR and their refutations:

Myth 1: GDPR only affects large companies, small businesses don’t have to worry.

The Reality: The GDPR applies to any organization, regardless of size, that processes personal data of EU citizens. It doesn’t matter if it’s a large online store or a small family business that collects customer contacts – the GDPR requirements remain the same.

Myth 2: The GDPR prohibits the collection and use of personal data.

The Reality: The GDPR does not prohibit the collection and use of personal data, but it does set out clear rules and principlesfor this process. You can collect and use data, but it must be legal, transparent, and fit for purpose.

Myth 3: It is enough to publish a privacy policy on the website to comply with the GDPR requirements.

The Reality: A privacy policy is just one elementof GDPR compliance. It is important not only to have a document describing your actions with data, but also to actually follow these rules in practice.

Myth 4: The GDPR only applies to companies registered in the EU.

The Reality: The GDPR has extraterritorial effect, meaning it applies to companies located outside the EU that process personal data of EU citizens. If your business deals with customers, partners, or employees from the EU, you must comply with the GDPR.

Myth 5: The fines for GDPR violations are extremely high and impossible to avoid.

The Reality: The fines for GDPR violations can be significant (up to €20 million or 4% of annual turnover), but they are not automatic. The amount of the fine depends on the severity of the violation, intentionality of the actions, measures taken to minimize losses and other factors.

Myth 6: GDPR is the only legislation that regulates the protection of personal data.

The Reality: The GDPR is an important, but not the only piece of legislation in the field of data protection. There are national laws in EU member states as well as other international agreements that may apply to your business.

Do I need to obtain consent to the processing of personal data if I use data anonymously for analytics?

This question is quite common and complex at the same time. It would seem that if the data is anonymized, i.e., it is impossible to identify a person, the GDPR should not apply. However, the reality is somewhat different.

First, let’s understand the concept of anonymization. The GDPR defines anonymization as “the processing of personal data in such a way that it can no longer be linked to a specific individual, even using all available information.”

Even if you remove obvious identifiers such as name, address, and email, other data taken together can lead to de-anonymization.

For example, location data, transaction times, medical records, web browsing, combined with other data sets, can be used to identify a person with a high probability.

Secondly, the GDPR requires a lawful basis for processing any personal data, even anonymized data. If you cannot prove that the data is truly anonymous and cannot be used to identify an individual, you will still need to obtain consent or have another lawful basis for processing it.

When may consent not be required?

  • True Anonymization: If you have implemented strong anonymization techniques that make it impossible to identify an individual under any circumstances, consent may not be required. However, achieving true anonymization is difficult, especially as data analytics technologies evolve.
  • Legitimate Interests: If the processing of data for analytics is in your legitimate interests, for example to improve services or prevent fraud, and these interests do not override the rights and freedoms of data subjects, consent may not be required.


  • Carefully assess the risks of de-anonymization. If there is at least a minimal likelihood that the data can be used to identify an individual, treat it as personal and obtain consent.
  • Use pseudonymization methods. Instead of deleting identifiers, replace them with unique codes that will make it harder to identify the person.
  • Apply GDPR principles from the start. Collect the minimum amount of data necessary for analytics, store it securely, and delete it when it is no longer needed.
  • Consult with a lawyer specializing in data protection to get a clear assessment of your situation and recommendations on how to obtain consent.

Remember that the GDPR is not about banning data analysis, but about responsible and ethical handling of personal information.

What should I do if I receive a request from a user to delete their personal data, but the law requires me to keep this data for a certain period of time?

This is a common dilemma: on the one hand, the GDPR guarantees the right to be forgotten, i.e., to have personal data deleted upon request. On the other hand, there are legal provisions that require certain types of data to be stored for a certain period of time. How to deal with this situation and find a balance between user rights and legal requirements?

First, it’s important to define:

  • Is the deletion request really justified. The GDPR provides six grounds for data erasure, such as when the data is no longer needed for the purposes for which it was collected or when the user withdraws consent to its processing.
  • Which laws require data storage. These may include laws on accounting, taxes, anti-money laundering, healthcare, etc.
  • What storage period is required by law. It can vary from several years to several decades depending on the type of data and the purpose of storage.

If the request is justified, but the data cannot be deleted:

  1. Notify the user of the restriction. Explain that you cannot delete the data immediately due to legal requirements, but that you are committed to doing so as soon as possible.
  2. Limit data processing. As long as there is a legal retention obligation, limit the processing to only those activities that are necessary to fulfill that obligation. For example, stop using the data for marketing or profiling purposes.
  3. Ensure secure data storage. Ensure that data is securely protected from unauthorized access, use, or disclosure.
  4. Delete data as soon as possible. Establish a clear schedule for deleting data after the legal retention period has expired.

Additional recommendations:

  • Keep records of requests for data deletion. Record the date of the request, the grounds for deletion or restriction of processing, the measures taken, and the date of actual deletion of the data.
  • Consult a lawyer. In case of doubt or complex situations, contact a lawyer specializing in personal data protection to get professional advice and guidance.


  • The GDPR gives users the right to control their personal data, but this right is not absolute.
  • Legal data retention requirements may limit the right to be forgotten.
  • It is important to find a balance between protecting users’ rights and fulfilling legal obligations.

What is the liability for personal data leakage as a result of third parties' actions, for example, a hacker attack?

Imagine the situation: your business diligently complies with GDPR requirements, implements modern security systems, but suddenly a hacker attack occurs and the attackers gain access to your users’ personal data. Who is responsible for this incident: you, since you stored the data, or the hacker who performed illegal actions?

The answer to this question is not as simple as it may seem. The GDPR requires companies to take “appropriate technical and organizational measures” to protect personal data. This means that companies have a certain responsibility for data security, even if the leak was caused by third parties.

What does the GDPR say?

Article 32 of the GDPR obliges data controllers (companies that determine the purposes and methods of data processing) to ensure

  • Confidentiality: protection of data from unauthorized access;
  • Integrity: protection of data from unauthorized modification or destruction;
  • Accessibility: ensuring legal access to data by authorized persons.

Does this mean that the company is always responsible?

No, not always. The GDPR does not establish absolute liability for data breaches. A company may be exempt from liability if it proves that it has taken all possible and adequate measures to prevent the incident.

What can affect the determination of liability?

  • The nature and extent of the security measures taken: did they correspond to the level of risk associated with data processing? Were they sufficiently modern and effective?
  • Timeliness of the incident response: did the company take immediate measures to minimize damage after the leak was detected? Did it notify the relevant authorities and users of the incident?
  • Existence of fault on the part of third parties: were the hackers’ actions unforeseen and inevitable, or could the company have prevented them?

Recommendations for companies:

  • Implement comprehensive security systems that are appropriate for the type of data you process and the level of risk.
  • Regularly evaluate and update your security systems to address new threats and vulnerabilities.
  • Develop a data breach contingency plan that includes steps to identify, assess, contain, and resolve the incident, as well as notify users and relevant authorities.
  • Provide education and training for employees on data security and cyber hygiene.
  • Document all security measures taken to help prove your good faith in the event of an investigation.


Liability for a personal data breach is a complex issue that depends on many factors. Despite the risks associated with the actions of third parties, companies must take all necessary measures to protect data to minimize their liability and maintain the trust of their users.


0 / 5. 0

Leave a Reply

Your email address will not be published.


You may be interested
Copyright vs. trademark: how to protect rights to characters more effectively
Anton Polikarpov | 24 May, 2024
Copyright vs. trademark: how to protect rights to characters more effectively

Over the years, cinema, television and literature have given us many favourite characters that we can recognize just by one of their phrases or characteristic images. Undoubtedly, such intellectual property requires proper legal protection. That is why today we will follow the “life path” of a character: from his birth to his death (of course, […]

The evolution of IP enforcement in Ukraine: the rise of the Appeals Chamber’s role
Anton Polikarpov | 18 March, 2024
The evolution of IP enforcement in Ukraine: the rise of the Appeals Chamber’s role
5 хвилин

On February 9, 2024, the new Regulation of the Appeals Chamber of the Ukrainian National Office for Intellectual Property and Innovations (further — IP Office) entered into force. The IP community is eagerly awaiting the resumption of the Appeals Chamber’s work because now, in addition to its traditional and customary powers to review oppositions against […]

Challenges in ensuring an supplementary protection period of  medicinal products in Ukraine
Zhuravlov Vladyslav | 23 January, 2024
Challenges in ensuring an supplementary protection period of medicinal products in Ukraine
5 minutes

Historical retrospective and EU practice In general, the introduction of the supplementary protection is intended to reimburse the patent holder part of the effective term, during which the invention could not be actually used, as it requires state registration of the medicinal product, which takes a certain amount of time. The establishment of this institution […]

Contact us
We will find the best solution for your business

    Thank you for your request!
    We will contact you within 5 hours!
    This site uses cookies to improve your experience. By continuing, you agree to our Privacy Policy.

    Privacy settings

    When you visit websites, they may store or retrieve data in your browser. This storage is often required for basic website functionality. Storage may be used for marketing, analytics and site personalization purposes, such as storing your preferences. Privacy is important to us, so you can disable certain types of storage that may not be necessary for the basic functioning of the website. Blocking categories may affect the performance of the website.

    Manage settings


    Always active

    These cookies are necessary for the website to function and cannot be disabled in our systems. They are usually only set in response to actions you take that constitute a request for services, such as adjusting your privacy settings, logging in, or filling out forms. You can set your browser to block these cookies or notify you about them, but some parts of the site will not work. These cookies do not store any personal information.


    These elements are used to show you advertising that is more relevant to you and your interests. They can also be used to limit the number of ad views and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the site operator.


    These elements allow the website to remember your choices (such as your username, language or region you are in) and provide enhanced, more personalized features. For example, a website may provide you with local weather forecasts or traffic news by storing data about your current location.


    These elements help the website operator understand how their website works, how visitors interact with the site and whether there may be technical problems. This type of storage usually does not collect information that identifies the visitor.