2018 — The Year under the Sign of GDPR

For many IT lawyers, 2018 will be noted for the General Data Protection Regulation (GDPR)—a new European Union regulatory act which will come into effect in May 2018.

While IT enters all spheres of traditional business, dissolving its boundaries, the data becomes the fuel for future technologies and a priceless asset, for which large IT-giants are sometimes ready to buy an entire company.

As data grows in importance, so do the requirements for their processing security. The European regulatory act has advanced the most in this area. While the US Government has recently allowed Internet providers to sell their users’ web browsing histories, an impressive system of rights has been conferred on European citizens. Those companies processing their rights were assigned an equally sizeable list of duties, which presuppose even greater responsibility. Aware of the gravity of the situation and the growing community demand for privacy and providing control over their data, GDPR legislators are trying to withdraw from a formal approach and to deal with the problem holistically. This requires an array of organizational and technical measures to be taken to change the very approach to work and the company’s attitude towards data and data management.

Some GDPR requirements are to be considered at the stage of IT product development, let alone the implementation stage. It’s not about common security standards; it’s about the mechanics of data management — minimizing the amount of processed data, providing data portability, privacy by default and a series of other equally interesting GDPR requirements.

How can the GDPR Affect the Interests of the Ukrainian Business Sector?

One of GDPR’s innovations is its exterritoriality. It means its effect is applicable to companies regardless of their location if they hold data on European citizens, offer them goods and services, or monitor their behaviour on the Web (behavioural profiling).

We can think of a wide range of occasions when GDPR will be of vital importance for the Ukrainian IT sphere and for traditional business. In Ukraine, the IT segment is represented not only by companies that provide goods but also by a rather strong outsourcing sector which usually targets foreign customers, including European companies and global projects whose target audience is in Europe. It may be delivery of services to EU users by means of the SaaS-model as well as cloud services providing infrastructure for IT products if EU citizens are among their end-users. Any business analytics with EU citizens behavioural profiling with its object can be added here too.

Barriers to entry for traditional business can vary as well: starting from simple cloud migration to data processing issues in a large transnational company which has a Ukrainian branch. Considering the popularity of cloud solutions, it is easy to imagine personal data maintenance in the European provider’s cloud with data being placed on EU servers. The storage of at least a data back-up on EU servers imposes obligations on both the provider responsible for data processing and the one who owns the data and maintains it.  As envisioned by GDPR, the first one is a data processor and the latter is a data controller (according to the terminology of Ukrainian law, they are a custodian and an owner of personal data, respectively).

We can see that there is considerable variability of situations when a Ukrainian business may need to meet GDPR requirements. The number of issues each company is going to deal with will depend on the entry point. This, its turn, determines the extent of a lawyer’s involvement in issues of compliance with GDPR as well as the requirements that will be imposed on him on the part of the client. It is important to bear in mind that those actions that seem clear and ordinary from the technical point of view or in the context of business processes can involve some specifics with regard to legislation. For example, a simple data transfer to the cloud can be considered sharing personal data with a third party in legal terms. In this case, a properly drawn up Terms and Conditions and data processing agreement with a provider are required. GDPR expands the requirements list greatly as well as the list of users’ rights, the provision of which should be carefully observed. Starting in May 2018, a seemingly inconsiderable dereliction may result in a penalty of 4% of a company’s turnover.

What is personal data according to GDPR? This is any data identifying a user or data with the help of which a user can be identified. As technology advances and a growing amount of data is accumulated, the situation with the second part of the definition will be more complicated. Thoughts about the end of Internet anonymity have grabbed the headlines of various privacy-focused publications on privacy. Besides, there are lots of examples on how to easily identify a person via open sources and anonymous data comparison. Whether the same data will be considered personal will often depend on the situation. Because of the task’s complexity at the starting point, some companies decide on their own to regard certain data as personal and give it a higher level of security.

There are a fairly large number of innovations in the new act, and its major advantage is the alignment of these improvements and the existence of a certain implementation mechanism. The GDPR list of rights conferred on users contains the right to access to personal data, the right to be forgotten, i.e. the right to data removal, which we are familiar with already, and the right to restrict/object to processing. In addition, a new user’s right to data portability is rather interesting. Legislators provided users with an opportunity to elicit their personal data from a current controller and transfer it to another one for keeping.

It should be borne in mind that assessment of the impact on data protection is required: for example, in case of implementation of a new automated data processing technology, or presence of a large number of special data categories or monitoring of publicly available places. In certain situations, a specially-appointed Data Protection Officer must ensure data security and legitimacy of processing.

With the increasing number of cyber-attacks, it is of great importance that the Data Protection Authority and the users whose rights are endangered are informed about a security breach within 72 hours if it compromises personal data protection.

What are the Skills and Competencies Necessary for an IT Lawyer?

Just like with traditional IT-business assistance, it is important to be well-informed about the company’s processes and basic technical issues regarding data. One might say that simply knowing the law is obviously insufficient. However, quite often the law itself refers us to technical terminology. That’s why even at this stage a lawyer should broaden his/her outlook. An understanding of the way data moves within the company and the so-called data mapping is a solid starting point. A lawyer should be actively involved in the process of new IT product development and build-up of the information security infrastructure as well as in the assessment of the impact of new solutions on personal data processing security. Another aspect of  work is assisting with a breach and data leakage. Considering the dynamics connected with data processing and the necessity to monitor the status of data, abuse team lawyers will deal with a huge pool of inquiries from users, who will make the most of a rights list conferred on them. It goes without saying that the development of internal and external policies for data processing will be still there, as will drawing up and analysing existing agreements that provide data security, reporting, and responsibility for violations.

Being aware of rising demand for personal data processing issues and GDPR, our company is stepping up its efforts in this area. Serving as legal engineers, we move beyond a simple response to inquiries from  clients. We try to find the problem, to offer a solution, to provide a team for its implementation, and to oversee the latter. Yet, taking into account the complexity and gravity of the GDPR compliance issue, a narrow view of the problem would entail a wide range of penalties posing a threat to a business. The complexity here means more than just a meeting point of law firm practices but rather services at the confluence of law, technical, and other solutions. In this area, we are working with both IT business companies that have tougher requirements to cyber-security providers and real business companies that are going to apply technologies and require legal examination during penetration tests, cloud migration, SaaS-solutions implementation and other related matters.

For those Ukrainian companies still hesitating over whether GDPR affects their work, it is worth thinking of the benefits that readiness for these new regulations gives. High data security can be a competitive advantage, an added product value, and a bonus for your reputation in the eyes of a client. Moreover, considering Ukraine’s course for European integration and attempts to apply European quality standards, there is a good probability that sooner or later Ukraine will try to adopt the experience of personal data protection possessed by its European neighbours.