It is a common misconception that the General Data Protection Regulation (GDPR), which comes into force on May 25 2018, only applies to businesses and organizations which are based within the EU and that international organizations will be exempt. This is not the case. The GDPR applies to the data of all individuals who are located within the EU at the time their data is collected. This means that any business which has customers within the EU needs to comply with the GDPR no matter where the business itself is based.
It is also important to keep in mind that, while it is an EU regulation, it does not just apply or exclusively apply to EU citizens. It is a law concerning the territory of the EU, not nationals of EU Member States. As such, a Chinese person on holiday in Italy would be covered by the GDPR, whereas a Dutch person located in Singapore would not.
This is an important point for data protection professionals across the world. Failure to comply with the GDPR could lead to their businesses facing sanctions and punishments, including fines of up to €20 million or 4% of their global annual turnover, whichever is greater. They should take carefu note of were they collect their data and how it is processed, among other considerations.
Organizations with offices within the EU will also be governed by GDPR rules. The GDPR notes “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union”. In short, this requires groups based within the EU that process or collect personal data, either themselves or through a subsidiary, to submit to the GDPR and its stipulations.
What do International Organizations Need to Consider?
Given that the GDPR can apply to international organizations and businesses, what do international data professionals need to think about?
- The requirement to get legitimate consent to process data. Consent has involve a conscious and informed act by the individual. For instance, using a pre-ticked check box is not sufficient. The data controller must be identified, as well as any third parties that will also have access to the data. With the introduction of the GDPR, consent must be given through an unambiguous affirmative act taken on the part of the user, separate from an act of agreeing to general terms and conditions, for example. It should be noted that inaction, such as silence or failing to de-authorize consent, does not constitute consent. Any consent gathered in this fashion previously is invalid and must be reacquired.
- The requirement to provide details of the data they hold when a Subject Access Request (SAR) is received. Most of the time the data must be provided within forty days and free of charge. Te GDPR introduced the right for individuals to request copies of their data to review or in order to provide it to a different data controller.
- The right to be forgotten. This applies when data is no longer required for any legitimate reason or when an individual asks for their data to be deleted. There are certain legal requirements that will mean some data in areas such as finance or employment, for example, cannot be deleted. Otherwise, organizations should prepare systems to allow periodic reviews of data to check if it is relevant or eligible to be erased, and to facilitate deletion requests.
All of these issues are important factors in complying with GDPR. They need to be adhered to by all businesses and organizations across the globes that deal with customers who are based within the EU. Systems should be put in place sooner rather than later to ensure employees are trained and the systems are up to the task.