The General Data Protection Regulation (GDPR) is European Union (EU) legislation that was passed on April 27, 2016. The GDPR will come into force later this month on May 25. While it is a piece of EU legislation, institutions based outside of the EU must be conscious of its implications and be on their guard to avoid breaching it. The physical location of the organization does not exempt or shield it from facing the ramifications of non-compliance.
Institutions with bases in an EU Member State or that collect, process or store the personal data of anyone located within an EU country must comply with GDPR. As businesses and other groups often have an international focus and reach, it is quite probable your company will be required to comply with the GDPR – especially if it is an group operates or offers services via the Internet.
Countries Affected by the GDPR
As mentioned previously, the physical location of the institution, organization or business is not as important in determining the need to adhere with GDPR as the physical location of the data subject – the person whose data is being collected, processed or stored. We have stated before that most groups will find themselves subject to or impacted by the GDPR. Even so, organizations located within the EU will likely see their business methods change to a large extent. At the very least they are more likely to process a larger amount of data belonging to people located in the EU. Organizations in the following countries, the EU Member States, will probably be most impacted by GDPR:
As the United Kingdom will still be a member of the European Union when the GDPR becomes enforceable, the regulation will be included in the UK’s domestic law under Clause 3 of the European Union (Withdrawal) Bill. The UK government is also currently debating a new Data Protection Bill which is similar to GDPR with a few minor differencess (for example the right of individuals to have all social media postings from their childhood deleted) and exemptions (for example exemption from the Data protection Bill for journalists and whistle-blowers in some circumstances).
Other EU Member States are also bringing in their own national laws to compliment the introduction of the GDPR. Most of them closely resemble the privacy and security requirements of the GDPR and, where they differ, the changes mostly concern the age of consent for children, the need to obtain employees’ authorization before processing their data, minor restrictions on the Rights of Individuals, and an extension of “special categories” when it is in the public interest.
How the GDPR Will Impact Non-EU Nations
GDPR will have a worldwide impact even with the relatively small and localized nature of the EU itself. Despite EU countries being more likely to see the most differences, non-EU countries are likely to see greater disruption after the introduction of the GDPR. This is because groups located within the EU are more likely to be ready for the changes as they as more likely to be aware of the introduction of the GDPR. A large number of groups located outside of the EU are still unaware of the introduction of the E.U. legislation or think they are exempt or will be unaffected.
There is also a sociological difference to consider: non-EU societies such as the United States (US) and others do not have the same privacy rights as many EU societies. Privacy laws are in place for certain types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which governs healthcare information; or the Gramm-Leach-Bliley Act, which watches over financial information; but “general” data does not enjoy the same safeguards. Due to this, only US-based groups and companies that have Privacy Shield certification will be able to migrate data from the EU.
The need to put in place, staff, and run parallel systems may introduce too much complication and drive costs too high for US-based groups and firms to continue providing their services to the EU market. A possible strategy may be for US-based companies to adopt an “all or nothing” approach that safeguards “general” data in a way currently reserved for “sensitive” data. This may enable the same system to be used to adhere with both HIPAA and the GDPR. It remains unclear whether many US groups will attempt this work practice.
Sharing Data Outside of the EU
GDPR requires strict controls on data shared to non-EU countries or international organizations. These are listed in Chapter V of the Regulation. Data is allowed to be shared only when the EU Commission has ruled that the transfer destination “ensures an adequate level of protection”.
Data transfers can also take place in situations where the receiving body can show that they meet this “adequate level of protection”, subject to periodic review every four years. The necessary safeguards may include:
- Commission approved data protection articles
- Legally binding agreements between public bodies
- Certification approved by the E.U. Commission
- Stringent corporate rules that are enforced across different bodies within the same corporation
Sharing data is strictly regulated so as to give each individual in the EU the same protections and rights under EU law regardless of the location of data storage or data processing. This has major implications for groups in the U.S. that gather, process or store the personal information of EU data subjects. U.S. data protection legislation are not thought of as sufficiently robust by the E.U. to provide adequate protection, and only groups certified under the EU-US Privacy Shield agreement will be compliant with GDPR after May 25 – exceptions exist in certain circumstances.
Conclusion: GDPR Member States
While some companies and groups will need to change their methods of processing data to be deemed GDPR compliant, the common EU Regulation will make it easier to deal with data originating from different E.U. Member States. Groups must the remaining time before GDPR becomes enforceable they have left to ensure they will be compliant on May 25. They will need to review their data and confirm that the methods of collecting, processing, and storage – as well as the nature of the data itself – are permissible under GDPR.