There is no doubt that the enforcement of the European General Data Protection Regulation on May 25th 2018 caused a seismic quake in the commercial world, as well as across government departments and not-for-profit organisations far and wide. But it doesn’t just apply to EU businesses. As stated on the Europa.eu website, “the law applies to:
- a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
- a company established outside the EU offering goods/services (paid or for free) or monitoring the behaviour of individuals in the EU.*
So, if you’re (for example) a business with an office based in (say) Ireland, and you collect or process personal data for (let’s say) US citizens, then as your business has a premises in the EU (Ireland) then your business must protect the personal data of non-EU citizens in the same way as if they were EU citizens.
If you are a company who is solely based in the (let’s say – US) and you serve customers/users/audiences who are citizens of any EU country, then you must have appropriate safeguards and measures in place to protect the personal data of those customers/users/audiences.
Personal data is defined (in the official GDPR text as) “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
If you process personal data and one of the above scenarios apply to you, the regulation also states that you must appoint a Data Protection Officer if:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular or systematic monitoring of data subjects on a large scale, or
- the core activities of the controller or processor consist of processing on a large scale of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, processing of genetic data, biometric data for the purpose of identifying a natural person, data concerning health or a natural person’s sex life/orientation). Incidentally, you are prohibited from processing such special categories of data unless you have received explicit consent from the data subject, or you can justify processing via another legal basis.
Processing, as defined under Article 4 of the GDPR, means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”
The Regulation does not apply to companies who are based outside of the EU and only serves a non-eu customer/user/audience base. So, if you do not target your services to EU based individuals then the GDPR does not apply to you. However, there might be other Data Protection Laws that your business will be subject to.