MY BUSINESS IS NOT IN THE EU – DOES GDPR APPLY TO ME?
Many organisations who are not based in the EU are asking why GDPR should apply to their business. If your business organisation is based in the US you may be thinking what on earth has GDPR got to do with me?
GDPR – PROTECTING PERSONAL DATA
Let’s start by considering why GDPR is coming into effect. The main aim of GDPR is to offer those within the EU more
- protection in respect of their personal data and
- control over that data.
That’s why the definition of personal data under GDPR extends the current definition to data from which you can identify a natural person “directly or indirectly” using “all means reasonably likely to be used”. This broad definition means that online identifiers such as IP addresses will form part of personal data but it also means having to consider issues such as whether combining seemingly unrelated datasets you hold could identify an individual person.
In view of its aim for greater protection and control of personal data GDPR makes it plain that it extends the reach of EU data protection law and will apply to
- Any EU based data controller and/or processor or those based where EU law would apply, as you would expect, but also to
- A Non-EU based data controller and/or processor who will
- Process personal data of data subjects who are in the EU relating to goods/services offered to that resident, including free (not for payment) or
- “monitors” the behaviour of data subjects within the EU so far as the behaviour takes place within the EU (think profiling) “particularly to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes”
EXCEPTIONS – WHEN GDPR MAY NOT APPLY
There are certain exceptions – for example, GDPR won’t apply to certain processing activities including processing carried out by individuals only for their own personal or household activities or processing for law enforcement and national security (member states can introduce derogations). In addition, certain data processing situations will be exempt
- Such as freedom of expression and information
- Subject to additional requirements, as is the case for employee data
I’M OUTSIDE THE EU – WHY DO I HAVE TO COMPLY WITH GDPR?
Since the aim of GDPR is to protect the personal data of those individuals within the EU and to give them more control over that data, to achieve this the GDPR regulations must apply to anyone processing personal data of EU residents.
THIS MAKES NO SENSE TO ME – NO OTHER LAWS ARE SO WIDE REACHING ARE THEY?
Most people expect to observe the laws and customs of any country that they are visiting. If you about to conduct your first business meeting in Japan and this is your first visit to the country, you would expect to research and observe local customs and etiquette. Likewise, if you commit a crime in another country, would you expect not to be punished just because you’re not resident there? Putting aside your personal thoughts regarding the punishment, we currently have EU nationals facing death penalties in non-EU countries and there are numerous rules (laws) we all have to work within when trading with other countries – civil law including payment, fees, levies and nature of goods are commonplace.
PLAYING BY THE RULES
For most organisations the bottom line is that if you intend to offer goods/services to those in the EU or monitor their behaviour then you must be GDPR compliant.
in addition, don’t forget that even if you are going to process relevant personal data on behalf of others, such as EU based organisations, then greater duties imposed on that organisation means that they will be asking you for confirmation (and proof) that you are GDPR compliant. That will be a challenge for many software providers who supply internationally including to the EU.
Of course, if you are never going to encounter any EU resident’s personal data, then you can ignore GDPR – but do make sure that you have a watertight way of ensuring that you don’t inadvertently process or control such personal data, via your website, social media or on-line presence.
For example, a US business may restrict sales by only allowing shipping to addresses with a US zip code. However, make sure that the same restrictions apply to your billing/payment arrangements so that you are not selling to someone in the EU who is, for example, making payment themselves but asking a relative in the US to take delivery of a purchase on the EU individual’s behalf to get around your restrictions.
CAN GDPR BE ENFORCED OUTSIDE THE EU?
The question and mechanics of enforcing GDPR outside the EU may pose more of an issue. Currently we are told “the policy of the European Community” depends on “cooperation at international level”.
Article 50 of GDPR makes it very plain that the EU and supervisory authorities will be taking “appropriate steps” to “develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data” and “provide international mutual assistance in the enforcement of legislation”.
We may have to wait until after May 2018 to see exactly how it works but the “cooperation mechanisms” work well enough with issues such as customs or law enforcement so a prudent business should bear this in mind.
It’s not worth the risk posed to your business, so it’s time to start looking at the data processes and flows in your business and get help. As well as free resources and information The Law Hound Group offers free mini audits and chats – so get in touch on the following links.