On Feb. 23, 2021, Ukraine's Ministry of Digital Transformation, in cooperation with the United Nations Development Program, NGO "Privacy Hub," and other partners, launched a data protection self-assessment tool. Aimed at aligning personal data protection with international and European standards, Ukraine developed a framework to help Ukrainian small- to medium-sized enterprises understand Ukrainian privacy laws and the EU General Data Protection Regulation.
Background
Currently, Ukrainian privacy issues fall under the 2011 personal data protection law. This law is heavily influenced by Directive 1995, which implies Ukraine still lives in the 20th century regarding data protection. Even though the country has adopted and ratified Convention 108, it has yet to do so with Convention 108+. Additional information on the current status quo can be found in our article on the reality and future of privacy legislation. So, it is apparent Ukraine does need to improve the situation with personal data protection. This tool is one of the many initiatives that aim to raise awareness and educate the public.
According to our research, Ukrainian companies aware of privacy legislation and work within the European Economic Area market use the U.K. Information Commissioner's Office's data protection self-assessment. However, for obvious reasons, it does not cover Ukrainian legislation. So, it was only right to develop Ukraine's own tool that would provide assessment for organizations from both perspectives — European and national. As is the case with the ICO's framework, we believe the Ukrainian self-assessment tool will be useful for people from other countries, as well. With that in mind, the tool was translated into English so people from different jurisdictions would be able to use it.
We also interviewed Ministry of Digital Transformation Data Protection Officer Bogdan Pashynskyi to hear what he had to say about the tool: "One of the things I like about the tool is that it breaks down complex Ukrainian and EU data protection legislation into 'digestible' requirements that can be understood by non-lawyers, as well as lawyers whose specialization is not related to privacy. Another great feature is the score-based system which helps illustrate the areas the business should focus on to improve its privacy program."
Pashynskyi, who was involved in the creation of the tool, emphasized, "Our self-assessment tool is much about ensuring compliance with applicable privacy requirements as it is about helping Ukrainian businesses stay competitive on the market, in particular, the EU where privacy considerations cannot be neglected."
The details
The primary target audience of the toolkit is Ukrainian SMEs. Considering many Ukrainian IT companies and startups work in the European market, the tool allows them to conduct self-assessments under both the Law of Ukraine On Personal Data Protection and the EU General Data Protection Regulation.
How does the tool work? First, a user must answer a few questions that identify the laws applicable to the business and its roles in the data processing. The toolkit contains four tests: one for controllers and one for processors under Ukrainian law, and one for controllers and one for processors under the GDPR.
The sections cover different areas of privacy compliance:
- Data protection principles (for controllers only).
- Information provision and data subject rights.
- Information security.
- Accountability and governance.
The answers to questions assess the organization's level of preparedness based on the result from each section. A test taker may end up in a green, yellow or red zone. Each answer is supported by personalized recommendations on how to improve the current compliance situation.
Users can take the assessment anonymously if they would like to refrain from sharing the results with the governmental platform or as a registered user to save and later access results and recommendations. Both anonymous and registered users will have the ability to share results via different social media or simply via result link. However, only the registered users will be able to save results on the "Diia.Business" platform. Then, the saved results can be used as an actionable road map for the user.
Follow-up presentations and training
The toolkit would not be complete without explaining how to use it and what data protection requirements are. Otherwise, its value would equal zero. Test takers have access to a recording of a roundtable discussion and a series of four video training sessions that are prepared by Certified Information Privacy Professionals.
The roundtable discussion is devoted to how businesses can benefit from protecting personal data where various stakeholders answer what advantages of data protection compliance are for their organizations.
The training recordings answer the following questions:
- Does your business fall under the GDPR, and what measures to take to comply with the regulation?
- How to conduct an audit within the organization, what documentation and procedures are needed to meet the requirements of Ukrainian and European legislation on personal data protection?
- How to implement technical and organizational measures aimed at ensuring the confidentiality of personal data?
- What are effective ways to raise awareness of employees in the field of personal data protection?
Conclusion
The privacy self-assessment toolkit is a part "Diia.Business," which helps owners of SMEs create, launch and manage their businesses.
It is very important and logical to educate and guide the owners from the beginning on what to do with personal data they collect, store and share with third parties. The other idea behind the toolkit is to develop the privacy culture and take an important step on the road to mass digitization, increasing privacy and data protection awareness among the population.
Photo by Max on Unsplash