As referred to previously, the physical location of the institution, group or business is not as important in determining the need to adhere with the GDPR as the physical location of the data subject – the individual whose data is being gathered, processed or stored. We have said earlier that the majority of organizations will find themselves subject to or impacted by the GDPR. However, organizations located within the EU will likely see their practices change to a greater extent. Logically, there is a better chance that they will process a larger amount of data belonging to individuals located in the EU. Organizations in the following countries, the EU member states, will probably be most impacted by GDPR:
- Austria
- Belgium
- Bulgaria
- Croatia
- Republic of Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom
As the United Kingdom is currently still part of the European Union until the end of 2020 GDPR was absorbed into the UK’s domestic law under Clause 3 of the European Union (Withdrawal) Bill. The UK government is also in the process of debating a new Data Protection Bill which is closely linked to GDPR with a few minor exceptions (for example the right of people to have all social media postings from their childhood deleted) and exemptions (for example exemption from the Data protection Bill for journalists and whistle-blowers in certain instances).
Other EU member states have passed legislation to compliment the introduction of the GDPR. Most of them closely match the privacy and security requirements of the GDPR and, where they are different, the changes mostly relate to the age of consent for children, the need to obtain employees’ consent before processing their data, minor restrictions on the Rights of Individuals, and an extension of “special categories” when it is in the public interest.
GDPR will have a worldwide impact even with the relatively small and localized nature of the EU itself. Despite EU countries being more likely to be impacted, non-EU countries are likely to see greater disruption following the introduction of the GDPR. This is due to the fact that organizations based within the EU are more likely to be prepared for the changes as they as more likely to be aware of the introduction of the GDPR. A large number of groups located outside of the EU are still unaware of the coming change or are of the opinion that they are exempt or will be not be impacted.
There is also a sociological difference to consider: non-EU societies such as the United States (US) and others do not have the same expectation of privacy as many EU societies. Privacy laws are in place for specific types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates healthcare information; or the Gramm-Leach-Bliley Act, which relates to financial information; but “general” data does not enjoy the same protections. Due to this, only US-based organizations and businesses that have Privacy Shield certification will be able to migrate data from the EU.
The need to put in place, staff, and configure parallel systems may introduce too much complexity and drive costs too high for US-based groups and businesses to continue offering their services to the EU market. A potential strategy may be for US-based actors to implement an “all or nothing” approach that protects “general” data in a way currently reserved for “sensitive” data. This may permit the same system to be used to comply with both HIPAA, for example, and the GDPR. As of now, it is not obvious if US groups will attempt this strategy.
The GDPR places stringent controls on data transferred to non-EU countries or international groups. These are listed in Chapter V of the Regulation. Data is allowed to be moved only when the EU Commission has deemed that the transfer destination “ensures an adequate level of protection”.
Data transfers can also take place in situations where the receiving entity can demonstrate that they meet this “adequate level of protection”, subject to periodic review every four years. The necessary protections may incorporate:
– Commission sanctioned data protection clauses
– Legally binding agreements between public bodies
– Commission approved certification
– Binding corporate rules that are policed across different entities within the same corporate group
The transfer of data is strictly regulated so as to offer each person in the EU the same protections and rights under EU law regardless of the location of data storage or processing. This has major implications for organizations in the U.S. that collect, process or store the personal information of EU data subjects. U.S. data protection laws are not thought of as sufficiently robust by the EU to provide adequate protection, and only organizations certified under the EU-US Privacy Shield agreement will be compliant with GDPR when it comes into force (exceptions exist in certain instances).
Above, we have seen a short description of the data concerned by the GDPR – personal data of an individual located within the EU. We have also looked at who is affected and how groups in some non-EU countries may approach GDPR compliance in an efficient manner. Now, we will detail why compliance is important: the maximum fine for violating the GDPR can be as high as €20 million, or 4% of annual turnover, whichever is higher. Compliance is, therefore, a very important aspect of your business to consider.
While some groups will need to change their methods of processing data to be GDPR compliant, the common EU Regulation will make it more simple to deal with data originating from different EU countries.
With the introduction of the GDPR approaching quickly groups must use the time they have left to ensure they will be compliant on May 25. They will need to audit their data and prove that the methods of collecting, processing, and storage – as well as the nature of the data itself – are GDPR compliant.
If the necessary systems are not configured by May 25, groups run the risk of non-compliance, sanctions, and losing business from their European partners.