We know that the European Union’s General Data Protection Regulation (GDPR) legislation that is now enforceable applies to companies that are based or do business in the European Union, but what does this new legislation mean for those of us outside the EU? Some of you might be tempted to skip this post now because you’re not in the EU, but that could be a big mistake.
The GDPR legislation uses the term increased territorial scope, which means that it applies to companies that are in the EU and those that aren’t.
This means that if your business collects any form of personal data from an EU citizen, whether they are living in the EU or not, then you are required to comply with GDPR and you are subject to their 20 million Euro penalties for non-compliance.
So what is this personal data? Personal data could include information collected during a transaction in an online store, or even analytics data describing their online behaviour if it takes place in the EU.
The wording of Article 3 of the GDPR confirms it’s applicability to any ‘data subject’ in the EU. This means a person of any citizenship living in the EU. This means citizens and non-citizens of the EU residing in the EU. This protects the personal data of anyone in the Union, even those people who are just visiting.
This means that if your business is global or sells to customers who are part of the European Union then the GDPR responsibilities and laws apply to you and your business.
Research conducted in the UK, showed that many businesses failed to understand this reach of GDPR, and many were not ready by the compliance date. It is estimated that only 38% of businesses were ready in time. This figure is worse overseas and many businesses remain non-compliant.
So you might be thinking how can this be enforced? If your business is based outside the EU, and you were targeted because you did not meet the GDPR requirements then at the moment the process for serving formal enforcement is unclear. Conceivably however, they could use a court injunction, they could block an online service, or they could seize goods at the border.
Many organisations don’t know what data they hold on EU customers so it might be worth investigating and checking whether your data collection, storage and compliance obligations are met under EU laws.