As a rule, the term “personal data” is enshrined at the level of national legislation. For example, in the European Union, processing of personal data is regulated by the General Data Protection Regulation (GDPR), in Canada by the Privacy Act and Personal Information Protection and Electronic Documents Act (PIPEDA), in the United States (in California) by the California Consumer Privacy Act (CCPA).
These laws govern how businesses must behave when collecting and processing customer and employee data.
There are slight differences in the definition of personal data, but in order to make it easier to understand, we will use the GDPR definition.
Personal data is not only the identifier itself, but also the information related to a person. In simple terms, name, passport number, ID card, username, nickname, e-mail address, phone number, IP address, bank card data are always personal data, because they are identifiers. A license plate number, handwriting, videotape or photo are probably personal data because they are easily identifiable. Address, marital status, sex, gender, e-wallet information, health information, page views, searches, social media posts are personal data when you know who it belongs to.
Conducting an audit of business processes
We audit current and future business processes for compliance.
We create a Data Map to identify potential irregularities.
Drawing up company policies regarding the processing of personal data
We draw up a privacy policy, privacy notice, cookie policy and other necessary documents.
Conducting an audit of the web-site/application
We check the availability of the necessary consent collection forms, the operation of cookies, the location of legal documents and make recommendations as a result.
We prepare and conclude data processing agreements with your counterparties
If you transfer personal data to third countries, you will need to enter into Data Processing Agreements.
Appointing a Data Protection Officer (DPO)
The designation of a DPO is mandatory if:
(a) the processing is carried out by a public body or authority other than courts of competent jurisdiction; or
(b) the legal entity's principal activities consist of data processing operations that, by their nature, scope and/or purpose, require regular and systematic monitoring of data subjects on a large scale; or
(c) the legal entity's core business consists of large-scale processing of special categories of data pursuant to Article 9 of the GDPR and of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
Conducting a Data Protection Impact Assessment (DPIA)
Conducting a DPIA on a regular basis is only necessary for some specific processing activities, namely those activities that may have a significant impact on the rights and freedoms of data subjects.
Provide employee training
Employee training on safe handling of personal data is mandatory. We will teach your employees how to respond to requests from data subjects and regulators.
✔️ Which authorities in Ukraine are responsible for monitoring compliance with personal data legislation?
In Ukraine, the State Service of Ukraine for Personal Data Protection is responsible for monitoring compliance with personal data legislation.
✔️ What sanctions are stipulated for violation of personal data legislation?
Violations of personal data legislation are punishable by administrative fines for individuals and legal entities, as well as criminal liability in case of grave violations.
✔️ What are the requirements for companies and organisations to process personal data?
Companies and organisations processing personal data must comply with the principles of data processing, obtain the consent of data subjects, and ensure data protection and confidentiality.
✔️ What security measures should companies implement to protect personal data?
Companies should implement technical and organisational security measures, such as data encryption, access restrictions, staff training and auditing of data processing systems, to protect personal data from unauthorised access and leaks.