The General Data Protection Regulations made global headlines following its introduction in May 2018. Despite its importance, there has been much confusion over its scope, and who exactly is required to comply with its rules. As the European Union implemented it, many individuals and businesses think that it only affects organisations that have their headquarters within the EU, and only protects the data of European citizens. This article describes how these assumptions are incorrect, and outlines GDPR’s jurisdiction, who is required to comply, and whose data it protects.
Who must comply with GDPR?
Any organisation which collects or processes data within the EU is subject to GDPR compliance, regardless of where the physical location of their headquarters. Even businesses that only collect or process data through subsidiary or branch of the leading company which is based in the EU must comply with GDPR.
It is clear that GDPR significantly impacts the business practices of many international organisations, in particular, large tech companies. Organisations must comply with GDPR even if the EU is only a small part of the business’s consumer base. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.
As a reminder, the EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Although the UK is due to leave the EU in March 2019, GDPR was introduced to their laws in May 2018 along with the other member states. Therefore, GDPR will remain a part of UK law after Brexit.
Who is protected by GDPR?
In addition to believing that GDPR only applies to organisations in the EU, many believe that GDPR only protects the data of EU citizens. However, GDPR protects the data of any individual, regardless of their nationality, who has their data collected while they are within the borders of an EU country. Furthermore, GDPR does not apply to the data of EU citizens if the data is collected outside of the EU’s borders.
An example may prove useful. If an American citizen is temporarily residing or travelling in an EU country, such as Ireland, and provide personal information during a transaction at a local business, such exchanging some information to use a WiFi service, this personal information is covered by GDPR as the person is located within the EU. The American citizen still has rights over their data even if they travel back to Australia, as that data was collected in the EU.
Conversely, if an Irish citizen is travelling in America, would not be covered by GDPR. Any data that they provide to an organisation in a similar transaction to above would be subject to American individual data protection laws.
Despite the critical importance of the new regulations, organisations outside of the EU may have ignored much of the news surrounding GDPR and therefore are unaware of its effect on their operations. If you are unsure about how the regulations affect your business, seek legal advice to ensure that your business practices are fully GDPR compliant.