Why do Ukrainian companies need GDPR risk assessment?

If you are interested in the combination of words such as “risk assessment” and “GDPR,” it seems that your customers, consumers, or investors have already hinted at them. Or your competitors have an advantage by saying that they are GDPR-compliant, and you want to be the same.

To be GDPR-compliant, i.e., to meet the requirements of the GDPR, you need to set up personal data processing procedures in accordance with the GDPR. To do this, you first need to understand whether the GDPR applies to your business. If it does, you need to develop an action plan. The best way to develop a plan and allocate funds is to start with the risks.

What is GDPR risk assessment?

GDPR risk assessment is one of the names for the extensive internal work that a business can do with a DPO or with external consultants/lawyers in the field of personal data protection. It is an analysis of:

1. which privacy law requirements apply to you,
2. what they require,
3. what you are already doing in your actual personal data processing procedures,
4. what risks arise from this, and
5. what to do about all of this.

What should you not do?

Sometimes companies are tempted to jump straight to the “what to do with all this” stage. But that’s like asking a doctor to prescribe treatment by telling him over the phone that you have a rash on your leg. The doctor may guess the right medication, but it would be very wise to conduct additional tests to make sure the diagnosis is correct.

The same applies to business risk insurance. It is advisable to establish a “diagnosis” of the level of GDPR compliance based on a combination of information about the project collected from various departments and people, from processes and products. An in-depth analysis of GDPR risks can be useful in this regard. When you analyze information comprehensively, you are less likely to miss details. In addition, the business owner or other privacy stakeholder in the company will be able to see a more complete picture and set the right priorities. Again, you can rely 100% on the expertise of the “doctor”-consultant and hope to hit the right pain points. But should the fate of your company be decided by luck?

What could be an incentive to conduct a GDPR risk assessment?

In addition to a sincere desire to streamline processes to match those of the best competitors or investors, there are also aspects of reputation and responsibility.

Incentive 1. Reputation. This is about consumers choosing a particular business because of its good name and brand. Reputation can easily be ruined by a scandal involving a personal data leak, a non-compliant banner and a crooked policy on the website, intrusive advertising or spam in violation of personal data processing rules, or ignoring a person’s request for their personal data. All of this, either collectively or individually, can discourage an investor from giving a business money for its development. Because, as we know, investors are not philanthropists; they want to see prospects and development, not risks and loss of customers. Red flags with personal data can also reduce the end customer’s desire to recommend your service, and for many types of businesses, customer reviews are the best form of marketing.

Incentive 2. Responsibility. This concerns fines, time, legal proceedings, and significant legal costs. The GDPR provides for very high maximum fines for violations: up to €20 million or up to 4% of the company’s global annual turnover for the previous year. In EU countries, regulators have the resources to conduct inspections and are particularly keen to inspect companies that users complain about or companies whose shady practices become popular in the public eye. Each EU country has its own regulator, which communicates in its own language and has its own views on punishment, based on the nature of the violation, the company’s behaviour, its previous history, and other factors. Local legislation in some EU countries may also allow compensation for moral damage to a person whose data has been “affected” by unlawful business practices. And even if there is no fine as a result, legal costs are unavoidable.

Incentive 3. Thinking about the future. The GDPR does not apply to the Ukrainian market, which is one of your main markets, right? That’s true, but since Ukraine is already on its path to European integration, it’s only a matter of time before a stricter bill on the protection of Ukrainians’ personal data is finally adopted. In its first reading, the Verkhovna Rada has already adopted a bill that imposes liability on businesses of up to 150 million hryvnia or 8% of their annual global turnover (you can read more here). So, by preparing to comply with the GDPR, you will be better prepared to comply with the new Ukrainian law. Even if Ukrainian users are not as demanding as EU users at the moment, the trend toward respect for personal data among responsible businesses and fines among less responsible ones will change this very quickly.

GDPR risk assessment will allow you to more accurately assess reputational and liability risks and ensure that regulators, whether in the EU or Ukraine:

• at a minimum, do not want to audit your business,
• and, at most, that during an audit, the regulator only asks your business to correct any questionable practices.

GDPR risk assessment is longer and more expensive than preparing a policy for a website or hiring a DPO. But it is about meeting different needs. Risk assessment and comprehensive analysis will meet the need to build a sustainable privacy management model in the company and choose a culture of privacy and user data protection. All other isolated measures, chosen in a non-systematic way, are like plugging holes in a leaking pipe. That’s also a method, but you have to admit that you don’t always have the time or desire to sit by the pipe, waiting for it to burst 🙂

If you need help with GDPR risk assessment, please contact us.