The General Data Protection Regulation may be a European Union (EU) established regulation, but that doesn’t mean its impact will remain within the continent. Your company not being based within the region doesn’t necessarily disqualify you from GDPR requirements. Here’s why non-EU based companies should still be concerned.

Countries where GDPR requirements will affect
GDPR: requirements that transcend borders. Image by Christine Roy on Unsplash

Replacing the current Data Protection Directive, the GDPR is the EU’s new regulation that aims to safeguard the personal data of individuals within the region. Coming into force on May 25th, 2018, it is the Union’s attempt in creating a unified data protection regulation across the 28 member states. At the time of writing, despite recent Brexit changes, the GDPR also includes the UK.

But how does a European-based regulation affect my non-EU company, you ask?

Well, one of the key changes — or should I say updates — of the new regulation is its focus on tackling privacy issues that have developed due to the ever expanding digital economy. Since the creation of the Data Protection Directive in 1995, the evolution of the internet has made it an accessible and essential aspect of everyday life, and current regulations just haven’t quite kept up . The internet has also produced a type of borderless world where data can travel across borders sans passport or visa in the blink of an eye. I mean, think about how easy it is to transfer money to someone overseas, or to sign up to a newsletter of an international publication, or even to purchase an item from a store on the other side of the globe! Not necessarily a difficult feat for a business or organization that’s not even based within an arm’s reach of where you are to obtain your personal data.

What is meant by personal data under the GDPR is kind of a grey area. Although not quite explicit, a little clarity is provided through this definition found on the GDPR portal, “any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”

So, in order for GDPR to cater to such a pressing issue, its requirements had to go beyond physical locality. It had to put its focus on data subjects (you, the individual) instead of geographic location.

Increased territorial scope

In the GDPR overview, Article 3 addresses territorial scope. It explains how GDPR requirements not only apply to businesses and organizations located within the EU — which is a given, duh — but also which companies outside of the jurisdiction it may be applicable too as well. Here are the companies that it will affect:

  • Businesses or organizations established in the EU who process personal data even though they’re not physically within the region when doing the processing;
  • Non-EU established companies who process personal data of EU individuals, where the processing activities are related to:

— The offering of goods or services, regardless of whether a payment of the data subject is required, to such data subjects in the Union; or

— The monitoring of their behavior as far as their behavior takes place within the Union;

  • And non-EU established companies processing personal data where Member State law applies by virtue of public international law.

Basically, if your non-EU based company has offices within the region, or processes personal data of people within the EU, and/or if EU law applies in your country — then, you best start putting together a GDPR requirements list and take action.

Preparing for the GDPR

If you’re still reading this, your company probably answered yes to the aforementioned Article 3 applicabilities. Have no fear, as preparing for the GDPR doesn’t have to be a daunting experience.

After reading up and familiarizing yourself and your employees on the proposed laws and policies, best practice would be to create a GDPR compliance checklist. Checklists are a useful way to ensure you don’t miss vital information or skip a step in the process. Plus, there are handy tools available on the market (ahem, like Zenkit) that can make creating and sharing an effortless affair, thus making the preparation for compliance an easier process.

Recommended things to pop onto your list:

  • Creating a data audit that records who, how and why your company processes personal data
  • Strengthening security systems
  • Implementing a process for data breach notifications — FYI you have only 72 hours of first becoming aware of the breach to report it
  • Knowing the digital rights of data subjects, such as the right to be forgotten, data portability, and the right to access
  • Understanding the seriousness of consent, including eliminating default-consent and knowing the various ages of consent across the different member states

For more info on this, check out our GDPR explained piece.

Enforceability

So you may be thinking, “how seriously do I need to take the GDPR requirements? Data is tricky to monitor so what are the chances my company will be observed?” While I can’t give you a solid response to that, I can present to you the proposed consequences for non-compliance (hint: it ain’t pretty).

Businesses or organizations who fail to comply with the GDPR requirements face fines of up to €20,000,000 or 4% of the business’s annual global turnover—whichever is the greater of the two. There is a tiered approach to fines depending on the severity of the non-compliance. For instance, not having your records in order will face a lesser penalty than violating consent rights. The hefty consequences also apply to both controllers and processors, meaning that even if you’re company is an SaaS provider, you are not exempt from all of this.


Even if the GDPR does not directly impact your company, it may still influence the way you deal with personal data. When the regulation rolls out in two months, it will no doubt put forth a precedent for future data protection standards, so establishing a similar framework of compliance now wouldn’t be the worst of ideas, would it?

Cheers,

Dinnie and the Zenkit Team