Потрібна допомога адвоката?

Залишай заявку

Protection of personal data and cybersecurity

Protection of personal data and cybersecurity have ceased to be “a technical issue for the IT department” and have become one of the key areas of legal and managerial responsibility of business in the digital age. The extent to which a company takes a systematic approach to building its security architecture affects not only the minimisation of fines and lawsuits, but also client trust, resilience to cyberattacks, and competitiveness in the market.
Regulatory framework for data protection and its challenges
In Ukraine, the regulation of personal data protection is primarily based on the Law “On Personal Data Protection” and general information security norms, which set requirements for the processing, storage, and transfer of information. At the same time, the influence of European standards, especially the GDPR, is significant, as they impose stricter rules for transparency, data subjects’ rights, and liability for breaches of confidentiality.
Practice shows that one of the main problems is the fragmentation of legal regulation and the gap between formal requirements and the actual maturity of cybersecurity systems in organisations. Often, data protection policies exist only on paper and are not supported by adequate technical and organisational measures, creating an illusion of compliance and increasing vulnerability to incidents.
Modern cyber threats to personal data
The rapid development of technology and the spread of open information sources generate new privacy risks: social engineering, phishing, doxing, and account hacking through an OSINT-based approach to data collection. Attackers combine fragments of public and semi-private information to build convincing attack scenarios — from phishing emails to fake profiles in messengers.
Particularly dangerous is multi-stage phishing, where the user interacts with the attacker several times, gradually giving away not only logins and passwords, but also one-time codes, backup access keys, and confidential files. In this context, personal data protection can no longer be ensured solely by technical solutions — media literacy, cyber hygiene, and user awareness of real attack scenarios become critical.
Integration of data protection into the cybersecurity system
The modern approach to security goes beyond a separate “law on personal data” and requires the integration of legal, organisational, and technical levels of protection into a single system. This involves creating a dedicated unit or appointing a responsible person for information security, building a comprehensive protection system in information and telecommunication systems, and implementing international standards (for example, ISO/IEC 27001).
In this context, cybersecurity includes not only perimeter protection tools (firewalls, antiviruses, intrusion detection systems), but also a well-designed data access model, multi-factor authentication, event logging, and regular incident monitoring. It is precisely this systemic approach — from organisational policies to specific technical settings — that allows personal data protection to be transformed from “a point function of IT” into an element of the overall cyber resilience strategy of the business.
The role of the state and business responsibility
At the state level, the key actors in the field of personal data protection are the cyber police and the Ukrainian Parliament Commissioner for Human Rights, who has the authority to draw up administrative protocols for violations of the right to information protection. Sanctions for failure to comply with the established data protection procedures, which lead to unlawful access, include significant financial fines that can be critical for small and medium-sized businesses.
At the same time, the state is increasingly focusing on the implementation of European data protection standards, which raises requirements for transparency in information processing practices in the private sector. For companies, this means the need to move from a formal minimum to real implementation of privacy policies, procedures for handling data subject requests, and the recording and investigation of cybersecurity incidents.
A comprehensive approach as the only realistic strategy
Research in the field of personal data protection agrees that only a comprehensive approach can ensure an acceptable level of security in the modern digital environment. It includes improving the legislative framework, implementing modern protection technologies, building information security management systems, and systematically increasing the digital literacy of employees and citizens.
At the same time, businesses should view personal data protection as an investment in long-term reputation and resilience, rather than just “compliance costs”. Companies that proactively implement European standards and build a culture of cybersecurity gain a competitive advantage, as they can offer clients not only a product or service, but also a guaranteed level of protection for their digital identity.
If you have any questions or problems related to personal data protection in your company, building a cybersecurity system, or implementing European privacy standards, it is worth considering engaging experts who will help assess current risks and develop a step-by-step plan to mitigate them.
Author
: Ihor Yasko, Managing Partner of Legal Firm “WINNER”, PhD in Law

Потрібна допомога адвоката?

Залишай заявку

Scroll to Top