The Surprisingly Wide Reach of GDPR
The EU’s General Data Protection Regulation (Regulation 2016/679)–commonly called GDPR came into force on 25th May 2018. The wide-ranging and comprehensive overhaul of data protection requirements it introduced have been well covered. One of the aims of GDPR is to “strengthen and unify data protection for all individuals within the European Union”. Given that wording, does its territorial reach only cover the European Union?
One of the surprising things about GDPR is that it can apply to companies in any country in the world if certain conditions are met. This means that companies based in any country out of the EU can be subject to GDPR requirements. And that is the case even if that company does not have any employees in the EU and has no offices there either. With maximum fines for failing to comply with GDPR’s requirements running up to the larger of €20 million or 4 percent of worldwide turnover for the worst breaches, not being compliant can have serious consequences. Those ramifications are not just financial but also reputational.
The global nature of business means the rules and requirements affecting the processing of personal data are varied and complex
How can GDPR have such a wide reach? That is down to how Article 3 has been written. This says that GDPR applies where there is a data processing activity taking place outside the EU that has data protection implications for an individual within the EU. These activities include:
• Where your organisation is offering goods or services to data subjects within the EU, even if you are not charging for the goods or services. Just having your website available in the EU does not necessarily mean that GDPR will apply. But if you need to handle personal data about EU individuals to ship goods to EU-based buyers, for example, their name, address, financial information, data like their clothing sizes or dates of birth, then GDPR will apply.
• Processing data on EU residents– and GDPR defines data processing so widely it covers practically any activity to do with data handling or storage: “collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction.” If your organisation carries out any of those tasks about people based in the EU, then GDPR will apply.
• Monitoring data subjects’ behaviour, where the behaviour takes place in the EU. Although GDPR does not define what monitoring data subjects’ behaviour is, Recital 24 suggests that internet tracking of EU residents will be included. This means that where a profile is built up of an EU individual to predict or analyse their likely behaviour, for example, what they might buy or their attitudes, and behavioural advertising targeted at EU residents, is likely to be covered by GDPR. This is the case even when the tracking is undertaken by an organisation based outside the EU.
What does being covered by GDPR mean? Well, that is beyond the scope of this article, and you should seek expert advice on what it means for your organisation. However, some main points are:
• Make sure you can comply with individuals’ rights. Under GDPR individuals have the right to access the personal information held about them, obtain copies, to be told why it is being processed, how long it is kept for and who it has been shared with. They also have the right to rectification (to have incorrect information put right); and in some circumstances the right to have processing stopped, to have their data erased (often called the right to be forgotten), and the right to object to processing.
• Ensure you have appropriate technical and organisational mechanisms to safeguard personal data, so it is secure from hacking, unauthorised access, loss, and corruption etc. What will be appropriate in any case will vary depending on how sensitive the data is that you are processing, the volume of data processed, the technology used and the organisation’s size. Balancing the costs of the available measures against the likelihood of a data breach and how serious it could be will help ascertain what is appropriate.
• Ensure your organisation knows what a personal data breach is and how to recognise one quickly. Data breaches that are likely to lead to “a risk for the rights and freedoms” of data subjects must be reported to the appropriate Supervisory Authority within 72 hours of the organisation first becoming aware of the breach. This means if the incident is likely to cause reputational damage, financial loss or damage, enable identity theft or lead to discrimination; for example, it needs to be reported. If the breach is “likely to result in a high risk” to “the rights and freedoms” of data subjects, then all those affected need to be informed, although there are some circumstances where notifying all those affected will not be required.
The global nature of business means the rules and requirements affecting the processing of personal data are varied and complex. Companies based outside the EU may be unpleasantly surprised to find they need to factor in compliance with EU data protection requirements in addition to their local laws. They need to do so to avoid fines and reputational damage.