In May 2018, the European Union passed the most powerful piece of privacy legislation ever. Called the General Data Protection Regulation, it has global implications and serious consequences for non-compliance.
Google was fined 50 million Euros for failing to comply with the GDPR, which demonstrates how serious the EU is about putting data control back into owners’ hands.
If your business isn’t based in the European Union, that doesn’t automatically mean you are off the hook for GDPR compliance. Read on to find out how this regulation applies to your organization and steps to take towards compliance if it does.
Work towards GDPR compliance in your organization using our free checklist.
What Is the GDPR?
While the GDPR is a long document, you can boil the regulation down to a few simple goals.
It was designed to regulate privacy laws across the European Union and protect and empower people in terms of their data privacy. For businesses, the GDPR levels the playing field and increases customer trust in them which has the potential to boost business.
The GDPR aims to protect the rights of EU residents and visitors, requiring organizations to ensure the following:
- Right to access of data
- Right to rectification (correct inaccurate information)
- Right to erasure (request that all their data be permanently deleted)
- Right to restriction of processing (request that data no longer be used but can still be stored)
- Right to data portability (transfer data to another controller)
- Right to object (request that data not be used for certain purposes like direct marketing)
Learn even more details on GDPR with our free webinar from AsTech Consulting’s CEO Greg Reber.
Who Is Subject to GDPR Compliance?
While the compliance requirements for the GDPR are pretty straightforward, the scope is a bit more confusing. Businesses that operate within the European Union obviously fall under this regulation, but so do many organizations in other parts of the world.
It sounds simple and confusing at the same time. To make it easier to figure out if GDPR applies to your organization, consider these criteria:
- Does your business process data based on activities that take place in the EU, whether or not the processing actually takes place in the EU?
- Do you offer paid or unpaid goods and services to EU customers?
- Do you monitor the behavior of individuals in the EU?
Keep in mind that mere access to your organization for people in the EU does not mean you are subject to GDPR compliance. In order to fall under the regulation’s scope, you have to specifically target EU individuals when offering your goods or services. This could mean:
- Marketing or ad campaigns targeting EU customers
- Operating in an EU language or currency
- Having a EU domain or sub-domain name (like .eu or .de)
- Having dedicated addresses or phone numbers for EU customers
- Ability to deliver goods to the EU
If your organization monitors the data of individuals in the EU, such as using geo-location for marketing, behavioral advertising, marketing surveys, or online tracking cookies, you also fall under the extraterritorial scope of the GDPR. Even storing the personal information of people in the EU (like names and email addresses) requires your business to comply.
It is important to remember that the location of the data subjects is relevant to GDPR, while their residence, legal status, and nationality is not. The actual geographical location of the controller or processor is also irrelevant.
Follow 23 easy steps towards GDPR compliance here.
GDPR Scope Examples
Still not sure if the GDPR applies to you? Here are some examples to help.
A pharmaceutical company in Spain does many of its clinical trials in Africa. Their subjects are in Africa and the data from the trials is also processed there. Do they need to comply?
YES! While the subjects and processor are not in the EU, the controller of the data still is. Because the company is based in Spain, the data is stored and used there, making them subject to GDPR compliance.
A mobile app allows users to find inexpensive hotel deals. The app is based in Canada, but it includes information on hotels located in EU countries. Do they need to comply?
YES! The fact that you can book hotels in EU countries shows that the app is clearly targeting EU individuals. As a result, this company is subject to GDPR compliance.
A shop based in Tokyo receives many European customers there on vacation. The shop processes their data for payment purposes. All of the data processing and controlling is done in Tokyo. The shop does not store the personal data. Do they need to comply?
NO! Even though the customers are EU citizens, their data is not controlled or processed in the EU. There is no advertising or marketing done outside of Japan. Because there is no direct connection to EU individuals besides allowing them access to the spa, they do not follow under the GDPR’s scope.
GDPR Compliance Is Essential
GDPR compliance for US companies and others around the world can be tricky to understand. With hefty fines for noncompliance, it’s a mistake no one can afford to make. Each factor must be considered separately and with others to figure out if your organization falls under the regulation’s scope.
Follow these tips and when in doubt, hire legal counsel to give you advice about GDPR compliance.