In today's environment of business digitalization and the rapid increase in the use of digitalization tools in the processing of personal data, both professional and personal, leads to an increase in the risk of personal data protection and confidentiality, as well as its theft by fraudsters and hackers via the Internet. The transition of companies to the digital space creates new risks and challenges for the protection of personal data. Therefore, the implementation of the General Data Protection Regulation (hereinafter – GDPR) in the operation of enterprises is becoming increasingly relevant and necessary.
The issue of implementation of GDPR in the operation of enterprises has been studied by Ukrainian researchers, such as O. I. Urtaiev [1] and O. Ye. Lutsenko [2], who proved that the implementation of the GDPR in the functioning of Ukrainian enterprises is a necessary condition for Ukrainian enterprises to reach the European level. However, so far researchers have not studied the aspects of the implementation of the GDPR in Ukrainian enterprises, which are international companies. Therefore, this article aims to fill this knowledge gap. Thus, the purpose of the article is to analyze the legal aspects of GDPR implementation in international companies.
In 2018, GDPR came into force, which is a regulation within the legislation of the European Union on the protection of personal data of all individuals within the European Union and the European Economic Area. It is important to understand that international companies located outside the European Union (hereinafter referred to as the EU) must also comply with the basic rules of the GDPR, which directly affects Ukrainian companies. This law has six main data protection principles, as shown in Table 1.
Table 1
Key GDPR data protection principles
Source: created by the author based on [3]
Analyzing the data shown in Table 1, we can conclude that although the law is based on six main principles, its core is data protection, which is ensured by transparency and accountability [3]. On the one hand, the law improves the protection of data subjects' privacy and facilitates the work of organizations and companies by clarifying rules, more specific requirements and even direct instructions on how to apply the provisions. On the other hand, the new GDPR obligations introduce significant changes to the way companies operate in terms of privacy protection. All companies that work with the personal data of EU residents or monitor the behavioral data of individuals in the EU, regardless of their location, are subject to the GDPR. This means that non-EU companies and international companies must comply with both national laws and the GDPR.
The unilateral exercise of EU jurisdiction in certain data protection situations has implications for global companies, governments, and internet users. Analyzing the legal requirements for GDPR implementation for international companies, it can be concluded that EU data protection principles have migrated abroad, becoming the basis for, and even forcing changes in, the data protection practices of international and non-EU companies, as well as the laws and practices of third countries, depending on the EU's regulatory socialization and bargaining power. EU data protection law, strengthened by its extraterritorial application, has become a global source of inspiration. The main incentive for third countries and operators to adopt data protection standards equivalent to those of the EU remains the fear of losing access to the EU market. Regardless of the reason for adoption, the EU's extraterritoriality shapes global data protection standards. data protection. The normative question remains as to how aggressively the EU should impose its data protection laws on foreign service providers or third countries [4].
It is also important to note the challenges that international companies face in implementing the GDPR. While a fundamental rights-based interpretation of data protection legislation may be positive from the perspective of an EU citizen or resident, it may create an additional and potentially unwanted burden for EU policymakers. Such interpretations put pressure on EU institutions not to neglect the data protection of EU residents when concluding data transfer agreements with third countries or when allowing foreign operators to conduct commercial activities in the EU market [4]. As legal texts and other documents of international companies are open to interpretation, it is of paramount importance to seek legal advice on their interpretation in order to obtain a correct and clear explanation. The GDPR and its implementation are no exception. Since the legal aspects are multifaceted, detailed preparation of documents is one of the keys to effective operation, as they must fully comply with GDPR requirements. Detailed and systematic documentation is a prerequisite to protect data confidentiality and ensure transparency in the event of an audit by supervisory authorities. In addition, the challenge for international companies is to strike a balance between the right to data protection and the preservation of other fundamental rights (Figure 1).
Figure 1. Tensions between data protection law and other rights
Source: created by the author based on [5]
In addition, the right to privacy conflicts with the Data Protection Act. These circumstances significantly complicate the implementation of data protection law. Therefore, in order to effectively navigate the legal aspects, international companies must skillfully manage the requirements of the GDPR in combination with other legal and regulatory frameworks [5].
Thus, analyzing all the above aspects, we can conclude that the GDPR is not a burden for international companies, but a significant opportunity to improve their performance. The GDPR goes beyond the current legislation and requires higher standards for data processing organizations, but these higher standards are philosophically consistent with best practices and ethical approaches. Organizational arrangements must be more efficient and effective, but the GDPR builds on the transparency and trust enshrined in national and international codes and best practices that put the interests of research participants first.
References:
1. Urtaiev O. I. Implementation of the GDPR rules as an important factor in the entry of Ukrainian companies to the EU market. Scientific Notes of the International Humanitarian University. 2023. No. 39. P. 17-20. URL: https://doi.org/10.32782/2663-5682/2023/39/04 (date of access: 31.05.2024).
2. Lutsenko O. Y. Legal regulation of the protection of personal data of employees under the GDPR. Law and Society. 2023. Vol. 2, no. 2. P. 134-141. URL: https://doi.org/10.32842/2078-3736/2023.2.2.20 (date of access: 31.05.2024).
3. General Data Protection Regulation (GDPR). 2018. Intersoft Consulting. URL: https://gdpr-info.eu/ (date of access: 31.05.2024).
4. Ryngaert C., Taylor M. The GDPR as Global Data Protection Regulation?. AJIL Unbound. 2020. Vol. 114. P. 5-9. URL: https://doi.org/10.1017/aju.2019.80 (date of access: 31.05.2024).
5. Smirnova Y., Travieso-Morales V. Understanding challenges of GDPR implementation in business enterprises: a systematic literature review. International Journal of Law and Management. 2024. Vol. 66 No. 3. P. 326-344. URL: https://doi.org/10.1108/ijlma-08-2023-0170 (date of access: 31.05.2024).
|