Розмір шрифту: 

With the globalization of the world economy and the integration of Ukrainian business into international markets, it is increasingly important to comply with international norms, standards and rules of doing business, including in the area of personal data protection.

The General Data Protection Regulation (GDPR) of the European Union has become a key regulatory act governing the processing of personal data and the protection of the rights and freedoms of individuals. Compliance with the GDPR requirements is an integral part of the compliance control and corporate governance system for companies doing business in Ukraine and interacting with European companies and citizens.

The relevance of the topic is due to the fact that in the context of a full-scale war with Russia and the subsequent post-war reconstruction of Ukraine, compliance with the GDPR is of particular relevance for domestic companies seeking to attract investment and develop cooperation with international partners. Implementation of an effective compliance control system, in particular in the area of personal data protection, is one of the important components of ensuring the investment attractiveness of Ukrainian business.

The purpose of the thesis is to study the theoretical and practical aspects of implementing the requirements of the General Data Protection Regulation (GDPR) into the enterprise's compliance control system as a component of corporate governance aimed at ensuring an appropriate level of personal data protection, observance of the rights and freedoms of individuals, and increasing the company's investment attractiveness and competitiveness in international markets.

The General Data Protection Regulation (GDPR) of the European Union is one of the most comprehensive and strict legal acts in the field of personal data protection of individuals. This document entered into force on May 25, 2018 and replaced the outdated Directive 95/46/EC, which had been in force for two decades[1].

The GDPR establishes uniform rules for the processing of personal data for all EU member states and applies to any organization that processes personal data of EU citizens, regardless of its location. The regulation has an extraterritorial effect, which means it is binding on companies from third countries if they offer goods or services to EU citizens or track their behavior.

The GDPR aims to protect the fundamental rights and freedoms of individuals, including their right to personal data protection. The Regulation sets out a set of principles, standards and procedures that controllers and processors of personal data must adhere to in the course of their activities[1].

The key requirements of the GDPR are compliance with the principles of lawfulness, transparency, data minimization, purpose limitation, accuracy, integrity and confidentiality of personal data processing. In addition, the GDPR clearly defines the rights of data subjects, such as the right to information, access, rectification, erasure, restriction of processing, portability, objection to processing, and automated decision-making.

For businesses that interact with European companies and citizens, the implementation of an effective GDPR compliance system is an integral part of modern corporate governance. Ensuring compliance with the GDPR involves careful planning, consistent implementation of a set of measures, and continuous monitoring and improvement of personal data protection processes[2].

In our opinion, an important step towards implementing a compliance control system through the prism of the GDPR is the development and implementation of policies, procedures and security measures for the protection of personal data at the enterprise.

This policy should reflect the principles, standards and approaches to personal data processing in accordance with the GDPR. The document should contain a clear definition of the roles, duties and responsibilities of various departments and officials of the organization in the field of personal data protection. The Personal Data Protection Policy is the basic internal document on which all other procedures and security measures are based.

In accordance with the Personal Data Protection Policy, the organization must develop a number of detailed procedures and instructions for various processes and operations related to the processing of personal data.

For example:

Procedure for responding to incidents related to personal data leaks or breaches

Procedure for storing and destroying personal data in accordance with the processing principles;

Procedure for processing requests from data subjects or supervisory authorities regarding personal data;

Procedure for conducting a personal data protection impact assessment (DPIA) when introducing new products, processes or technologies associated with a high risk to the rights and freedoms of individuals [3].

At the same time, it is important to implement appropriate technical and organizational measures to secure personal data in accordance with the requirements of Article 32 of the GDPR. These may include:

Pseudonymization and encryption of personal data to ensure their confidentiality and integrity.

Implementation of access control systems to personal data based on the "need-to-know" principle;

Use of data leakage detection and prevention tools, antivirus protection, firewalls, intrusion detection and prevention systems;

Ensuring backup of personal data and the possibility of its recovery in case of incidents;

Implementation of physical security measures for premises and equipment where personal data is stored [4].

It should be noted that the effective implementation of compliance control requires the development and implementation of procedures for managing registration records of personal data processing.

According to Art. 30 of the GDPR, controllers and processors of personal data must keep a register of activities related to the processing of such data. It is necessary to develop procedures for the formation, maintenance and updating of such registers, as well as to determine the persons responsible for this process. The organization must also develop procedures for making mandatory notifications to the supervisory authority and data subjects in cases provided for in Articles 33-34 of the GDPR [1].

The last step, in turn, is to appoint a Data Protection Officer (DPO). According to Art. 37 of the GDPR, the appointment of a DPO is mandatory in certain cases, for example, if the main activity of the controller or processor is processing operations that require regular and systematic large-scale monitoring of data subjects. The DPO plays a key role in monitoring the organization's compliance with the GDPR, raising awareness among staff and interacting with the supervisory authority [1].

After developing all the necessary policies, procedures and security measures, the organization must ensure their effective implementation and communication to all responsible persons through staff training. It is also important to establish a system of periodic review and improvement of internal documents in the field of personal data protection, taking into account regulatory changes, new technologies and best practices.

Thus, ensuring compliance with the GDPR is an ongoing process that requires constant monitoring, updating and improving internal processes and procedures, taking into account regulatory changes, technological development and best practices in the field of personal data protection. Only through systematic work can an organization guarantee compliance with the requirements of the GDPR and ensure the effective protection of personal data in the long term.