If you think that your company will not be subject to the General Data Protection Regulation (GDPR) because it is not based in a country within the European Union (EU), you may be in for a rude awakening. Compliance with the GDPR is not related to where a company is physically located, so even foreign organizations may need to take measures to avoid violating this new law.
Company with any offices within the EU, or that process the data of any individuals within the EU, must comply with GDPR. Given the global nature of most business today, it is likely that the majority of companies – especially those that trade online – will be subject to the GDPR rules.
Primary Countries That Will Be Affected
While organizations in most countries are likely to be affected by the GDPR, and almost certainly will be if they trade internationally, the largest impact will be felt within the EU itself. This is because, logically, they process more data relating to people within the EU. As a reminder, the EU Member States are:
- Republic of Cyprus
- Czech Republic
Even with the upcoming Brexit – the UK’s decision to leave the EU – the GDPR will still be introduced into British law as they will still be part of the Union when the law takes effect. It is also worth noting that GDPR standards are already being incorporated into UK law and they will remain as part of the law even when the UK is no longer in the EU.
All organizations in EU Member States, including public agencies and governments, must process data that is collected from anyone within their boundaries according to GDPR rules. This still holds true even when the person is a citizen of a non-EU country visiting Europe.
The GDPR Effect on Non-EU States
The effect of GDPR is going to be felt the world over; however probably with a slight delay to countries that are outside of the EU. This is because companies in these countries are less likely to be aware of the regulation, and are therefore less likely to be prepared. Many are not certain of what the GDPR will change for them and others believe that they are not subject to the rules.
Another issue is cultural in nature; countries such as the US do not have an overall expectation of privacy. Protections are in place for certain types of data; such as HIPAA which governs information about health, and the Gramm-Leach-Bliley ACT (GLBA) which regulates financial information. Even so, “general data” is not included in these. This means that US companies are faced with needing two different systems to process of personal data in accordance with the applicable laws; one for data collected from anyone inside the EU, and one for data collected from anyone outside of the EU. In reality, this may prove too complicated and costly for most companies. A sensible solution may be for US based companies to adopt a “one-size-fits-all” approach to dealing with the personal data of individuals. This approach could be used for dealing with the data of any individual while complying with GDPR and HIPAA or GLBA rules. It remains to be seen how many US companies will adopt this approach.
Transferring Data Outside of the EU
There are strict regulations in place that must be followed when transferring personal data to a third country or to an organisation outside of the EU, as per chapter 5 of the GDPR. The EU Commission allows for data to be transferred when an adequate level of legal data protection measures can be shown to be in place in the third country. Interestingly, the US is not currently considered to have a high enough level of protection for data to be transferred there.
Data can be transferred to individual organizations, even in “non-approved” countries, if the organization that is receiving the data can prove that it has sufficient safeguards in place to protect the data. These safeguards could include:
- Data protection clauses that have been approved by the Commission.
- Legally binding agreements between public authorities.
- Certification by a Commission approved certification mechanism.
- Binding corporate rules that apply between different organisations that form a corporate group.
The rules for transferring personal data outside of the EU are strict in order to ensure that every individual within the EU has the same rights and freedoms, no matter where their personal data is stored and processed.
What Does This Mean For Your Company?
Any company that does not comply with the rules could be fined or face sanctions. Maximum fines will be as much as either 4% of global annual turnover or €20 million – whichever is higher. Compliance is therefore obviously of paramount importance.
Although companies may need to make some changes to the way they process data as a result of the GDPR, it is likely to make things easier in the long run. Dealing with different sets of regulations for different EU countries is time-consuming and expensive. A single EU standard can help streamline processing and reduce costs.
It is important that companies start to work on compliance ASAP. They need to carry out an audit of the data they hold; verify its nature; check the content, and ensure the way in which it was obtained meets the GDPR’s stringent consent rules.
It is important that this work is carried out as soon as possible so that companies know that they are fully compliant and not at risk of being sanctioned. After all, no company wants to face the financial implications or the potential international trading issues and reputational damage that could result from non-compliance.