If you think that your company will not be subject to the General Data Protection Regulation (GDPR) because it is not based in a country within the European Union (EU), you may be in for a rude awakening. Compliance with the GDPR is not solely related to where a company is physically located, so even organizations located outside the EU may need to take measures to avoid violating this new law. As such, there are no “GDPR countries” or a list of “countries affected by GDPR” in the sense that it potentially impacts any country.
A company with any offices located within the EU, or one that process the personal data of any EU individuals, (EU data subjects according to GDPR legislation) must comply with the GDPR. Given the global nature of most business today, it is likely that the majority of companies – especially those that trade online – will be subject to the GDPR rules.
The language that is used most consistently throughout the GDPR is “natural person” or ‘’data subject’’ and ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
This is because the GDPR stipulations apply when personal data of a data subject, who is located in an EU country at the time, is processed. Therefore, an American passing through a Duty-Free shop in Europe would have GDPR apply to his or her data processed during that transaction.
Additional Scope and Reach of GDPR
The Article 3 (1) of GDPR expands the definition of the Data Subject even wider to potentially include almost anyone in the world by the application of GDPR to EU Data Controllers and Data Processors and their operations even where processing takes place outside the Union.
Article 3 (1) states: “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
Therefore, by a Controller or Processor based in the EU who processes data of data subjects located anywhere in the world, for example a Chinese data subject living in China, and whose data is being processed by an EU established Data Controller or Processor can also expect GDPR to apply.
A “Controller” under GDPR is the organisation or company which determines the purposes of the processing of personal data where a “Processor” carries out the processing of the personal data on behalf of the “Controller”. A “Processor” can further engage “Sub-Processors” and the “Controller” would have visibility and approval rights over these “Sub-Processors”.
The GDPR definition of processing of personal data is defined in Article 4 of the GDPR and is extensive.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Primary GDPR Countries That Will Be Affected
While organizations in most countries are likely to be affected by the GDPR, and almost certainly will be if they process personal data of data subjects in the EU when trading internationally. the greatest impact will be felt within the EU itself. This is because, logically, many will process more personal data of EU data subjects. As a reminder, the EU member countries subject to GDPR are:
- Republic of Cyprus
- Czech Republic
Even with the upcoming Brexit – the UK’s decision to leave the EU – the GDPR will still be introduced into British law as they will still be part of the Union when the law takes effect. It is also worth noting that GDPR standards are already being incorporated into UK law and they will remain as part of the law even when the UK is no longer in the EU. So the UK is to remain one of the countries covered by GDPR. It remains to be seen in the event of a hard Brexit whether or not the EU will designate the UK an adequate country for data protection purposes, failing receipt of that designation companies will have to use an alternative transfer mechanism.
All organizations in EU Member States, including public agencies and governments, must process personal data that is collected from anyone within their boundaries according to GDPR rules. This still holds true even when the person is a citizen of a non-EU country and visiting Europe.
The GDPR Effect on Non-EU States
The effect of GDPR is going to be felt the world over; however probably with a slight delay to countries that are outside of the EU. This is because companies in these countries are less likely to be aware of the regulation, and are therefore less likely to be prepared. Many are not certain of what the GDPR will change for them and others believe that they are not subject to the rules.
Another issue is cultural in nature; countries such as the US do not have an overall expectation of privacy. Protections are in place for certain types of data; such as HIPAA which governs information about health, and the Gramm-Leach-Bliley ACT (GLBA) which regulates financial information. Even so, “general data” is not included in these. This means that US companies are faced with needing two different systems to process of personal data in accordance with the applicable laws; one for data collected from anyone inside the EU, and one for data collected from anyone outside of the EU. In reality, this may prove too complicated and costly for most companies. A sensible solution may be for US based companies to adopt a “one-size-fits-all” approach to dealing with the personal data of individuals. This approach could be used for dealing with the data of any individual while complying with GDPR and HIPAA or GLBA rules. It remains to be seen how many US companies will adopt this approach.
Transferring Data Outside of the EU
There are strict regulations in place that must be followed when transferring personal data to a third country or to an organisation outside of the EU, as per chapter 5 of the GDPR. The EU Commission allows for data to be transferred when an adequate level of legal data protection measures can be shown to be in place in the third country. Interestingly, the US is not currently considered to have a high enough level of protection for data to be transferred there, therefore US companies must be signed up to Privacy shield or have another approved transfer mechanism in place .
Data can be transferred to individual organizations, even in “non-adequate” countries, if the organization that is receiving the data can prove that it has sufficient safeguards in place to protect the data. These safeguards could include:
- Data protection clauses that have been approved by the Commission.
- Legally binding agreements between public authorities.
- Certification by a Commission approved certification mechanism.
- Binding corporate rules that apply between different organisations that form a corporate group.
The rules for transferring personal data outside of the EU are strict in order to ensure that every individual within the EU has the same rights and freedoms, no matter where their personal data is stored and processed.
What Does This Mean For Your Company?
GDPR then is not country based but depends on whether or not your company is processing the personal data of data subjects within the EU.
Any company that does not comply with the rules could be fined or face sanctions. Maximum fines will be as much as either 4% of global annual turnover or €20 million – whichever is higher. Compliance is therefore obviously of paramount importance.
Although companies may need to make some changes to the way they process personal data as a result of the GDPR, it is likely to make things easier in the long run. Dealing with different sets of regulations for different EU countries is time-consuming and expensive. A single EU standard can help streamline processing and reduce costs. Some companies even US ones have decided to apply a GDPR standard to all international offices of the company.
It is important that companies start to work on compliance ASAP. They need to start to carry out an audit of the data they hold; verify the categories of personal data and the legal basis; document where the company is a Controller or Processor; document who the data is shared with internally and externally; document any international transfers of personal data this is all part of the Article 30 requirement of a data inventory.
It is important that this work is carried out as soon as possible so that companies know that they are moving towards compliance and not at risk of being sanctioned. After all, no company wants to face the financial implications or the potential international trading issues and reputational damage that could result from non-compliance. GDPR compliance is not a once off tick box exercise but an ongoing project that needs to be operationalised within the organisation.