Who is affected by GDPR?

In May 2018, the EU introduced the General Data Protection Regulations. The need for GDPR was clear; existing regulations were unable to deal with the increased risk of data theft. The creators of GDPR sought to introduce regulations to reduce the risk of data theft to a minimum. GDPR requires that many safeguards are in place to maintain the integrity of confidential information.

Prior to GDPR, even though individuals were becoming more concerned over privacy, they had little power over their data. GDPR grants ordinary citizens more rights over the use and sharing of their data.

Whose data does GDPR protect?

The EU enacted GDPR, but the regulations affect any company or organisation that collects, maintains, and uses the personal data of EU citizens, whether the organisation is based within the EU or outside of it. GDPR itself uses the phrase “natural person” when describing those whose data is concerned. A “natural person” refers to an individual human, as opposed to a “legal person”, which may be a person, an entity, or an organisation. The phrase “natural person” is used as GDPR concerns the data collection of any individual-not just EU citizens-who has their data collected while they are within the borders of an EU country. For compliance requirements, organisations should consider all people located within the EU.

Furthermore, GDPR does not apply to EU citizens who have their data collected while they travel outside of the EU. When considering whether GDPR applies, it is not the citizenship of the individual which is important, but the country in which they are located when another party accesses their data. GDPR has no jurisdiction outside of the EU.

For example, if a US citizen is temporarily residing or travelling in an EU country, such as Spain, and provide personal information during a transaction at a hotel, this personal information is covered by GDPR as the person is within the EU. The US citizen has rights concerning their data, even if they travel back to the United States, as that data was collected in the EU. The organisation must treat all data they collect with equal care, regardless of the nationality of the individual from whom it was collected.

However, GDPR does not cover an EU citizen travelling in the United States. Any data that they provide to an organisation in a similar transaction to above would be subject to individual data protection laws within the US.

Which organisations are subject to GDPR compliance?

Any business or organisation that processes the data of people living within the EU, no matter where the organisation itself is located, should comply with the GDPR stipulations. Similarly, an organisation that is found to be non-compliant with GDPR can be penalised, regardless of their location. Therefore, an organisation may need two different data processing routes; one for data collected within the EU, and one for all other data.

Any company that has offices within the EU is subject to the GDPR. The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” Even if an organisation only collects or processes data through a subsidiary or branch of the leading company which is based in the EU, they are bound to be compliant with GDPR.