The EU General Data Protection Regulation (GDPR) will come into place in less than one year’s time. The regulation, which replaces the 1995 Data Protection Directive, makes changes to the way data is handled and processed in the EU. It includes fines of up to the greater of €20 Million or 4 percent of corporate annual turnover for firms that do not comply.
The GDPR covers companies operating within the EU. But there are questions about firms residing outside the bloc: For example, what exactly does the regulation mean for businesses based in the US? And will the UK need to adhere to GDPR after Brexit?
The short answer is: the regulation will affect firms both inside and outside of the EU. In fact, any company dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR.
The guidance makes clear that all organisations handling such data will be required to comply, regardless of jurisdiction, says Jamal Elmellas, chief technology officer at Auriga Consulting.
Taking this into account, he advises: “Organisations outside of Europe must first decide if they currently are – or are planning to – conduct business in the region. Once they have answered this question, the next port of call is dissecting their intended business model to understand if they handle citizen data and if so, what that data is.”
This requires careful consideration: Even if a company does not have a European presence, it will still have to understand the impact of GDPR if it processes an EU resident’s personal data in connection with goods and services offered to that person, says Saurabh Ghelani, data protection and GDPR expert at PA Consulting Group.
Another factor that could influence whether a company must be compliant with GDPR is if it ‘monitors the behaviour’ of individuals within the EU, says Ghelani.
The GDPR guidance defines this as when “individuals are tracked on the internet”. This includes the potential use of profiling techniques to make decisions about the data subject, or for analysing or predicting personal preferences, behaviours and attitudes.
Something else that might not be obvious, warns Ghelani, is that GDPR will apply to non-EU data processors. This includes cloud service providers storing or hosting the personal information of EU data subjects.
So the update to data protection regulation will reach far beyond EU borders. As experts point out, there are multiple factors influencing whether non-EU companies have to abide by the rules. But in an increasingly digital world, most large companies deal with EU data in some shape or form.
And firms do not have long to ensure they comply with the update, which will come into place in May 2018. So what should companies be doing now in order to achieve compliance with the General Data Protection Regulation?
Many businesses will not be fully compliant by the deadline. But Mark Taylor, partner at law firm Osborne Clarke, says it’s important to start laying the groundwork now. “Raise awareness internally and get key stakeholders on board,” He advises. “As part of this, look at how you are currently processing the data of those residing inside the EU.”