The General Data Protection Regulation came into effect in May 2018. Designed by European Union lawmakers to update existing data protection laws, many individuals and businesses think that it only affects organisations that have their headquarters within the EU, and only protects the data of European citizens. This article will explore why these statements are untrue, and outline GDPR’s jurisdiction, who is required to comply, and whose data is protected.
Any organisation which collects or processes data within the EU is subject to GDPR compliance, regardless of where the physical location of their headquarters. This includes businesses that only collect or process data through subsidiary or branch of the main company which is based in the EU. Due to the global nature of modern enterprise, this will affect many international organisations, particularly large tech companies. Even if the EU is only a small part of the business’s consumer base, the business will have to alter their practices in order to comply with GDPR.
As a reminder, the EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Although the UK is due to leave the EU in March 2019, GDPR was introduced to their laws in May 2018 along with the other member states. Therefore, GDPR will remain as a part of UK law after Brexit.
All organisations which operate within EU Member States must process data that is collected from anyone within their boundaries according to GDPR rules. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.
As mentioned above, it is a common misconception that GDPR only protects the data of EU citizens. However, GDPR concerns the data collection of any individual, regardless of their nationality, who has their data collected while they are within the borders of an EU country. Furthermore, GDPR does not apply to the data of EU citizens if the data is collected outside of the EU’s borders.
An example may prove useful. If an Australian citizen is temporarily residing or travelling in an EU country, such as Ireland, and provide personal information during a transaction at a local business, such as hotel, this personal information is covered by GDPR as the person is located within the EU. The Australian citizen has rights concerning their data, even if they travel back to Australia, as that data was collected in the EU. The organisation must treat all data they collect with equal care, regardless of the nationality of the individual from whom it was collected.
The reverse is also true. If an Irish citizen is travelling in Australia, would not be covered by GDPR. Any data that they provide to an organisation in a similar transaction to above would be subject to Australian individual data protection laws.
Despite the critical importance of the new regulations, organisations outside of the EU are may have ignored much of the news surrounding GDPR and therefore are unaware of its affect on their operations. GDPR is a complex piece of legislation, and if you are unsure about how the regulations affect your business, it is recommended that you seek legal advice to ensure that your business practices are fully GDPR compliant.