Do I Need to Be GDPR Compliant?
As covered in the previous blog post, GDPR is a new law regulating the processing (collection and use) of individuals’ personal data, which comes into effect on May 25th, 2018.
If you are covered by GDPR, then not only will your customers expect you to be compliant, but your business partners may require it as a condition of their contracts. Moreover, the fines for breaching the Regulation are harsh, going up to €20,000,000 or 4% of your global turnover (whichever is higher).
With that in mind, it is vital to know whether you are within its scope.
Data controllers and data processors
To start with, GDPR applies to people and organizations which act as data controllers and data processors:
Data controllers decide the purposes and methods of processing personal data – they coordinate processing.
Data processors are responsible for directly processing personal data based on the instructions of data controllers. This could for example include subcontractors.
This will covers any organization which keeps a customer or membership list, or information about its employees. The vast majority of organizations will therefore be affected, as long as they have dealings with the European Union.
Dealings with the European Union
GDPR was created by the European Union to protect its citizens, and so it only affects organizations with some kind of relationship with the EU or its people. That said, it does not only apply to companies based in an EU country. According to Article 3, you will be affected if you are a data controller or data processor and any of the following apply:
- you are established in the EU (or somewhere else subject to EU law), or
- you offer goods or services to individuals in the EU, or
- you monitor the behavior of individuals in the EU.
Establishment in the European Union
If you are established in the EU, then all processing related to that establishment is covered, even if it takes place elsewhere.
Being established is a broad concept in EU law. It could apply to you if you have (for example) a branch, representative, address or bank account in an EU country. (See the recent Weltimmo case in the European Court of Justice - particularly paragraphs 29 to 33 - regarding the outgoing Data Protection Directive.)
Side note: If you are covered by GDPR but you are not established in the EU, you will need to designate a representative within the EU (under Article 27) unless the processing is occasional, does not include a large amount of sensitive information (such as an individual’s ethnic origin, religious beliefs or criminal convictions) and is unlikely to involve a risk to people’s rights and freedoms.
Goods and services
If you control or process data relating to people in the EU, in the context of offering them goods and services, then this will be covered by GDPR. This is true even if the goods and services are offered for free.
Note the word offering: it appears that this will only apply where there is some element of targeting your goods at EU countries. Targeting is likely to include providing a version of your website in a local language (which is not your own country’s language), allowing purchases in the local currency, or mentioning EU customers or countries on the website. It is possible that merely delivering to EU countries will be enough to count.
Note that the key question is whether your customers (or members, or employees) are in the EU, not whether they are EU citizens. You don’t for example need to worry about the nationality of customers based in the US.
Monitoring behavior
If you control or process data relating to people in the EU, in the context of monitoring their behavior, then this will be covered by GDPR.
A lot of monitoring is done in tandem with the offering and sale of goods and services (see above), such as online vendors using patterns in consumer purchases to offer similar products, or games developers collecting data on player activity. However, monitoring also covers a wider range of activities, including market research and getting feedback. The vast majority of online organizations (commercial or non-commercial) monitor the behavior of visitors to their websites to some extent.
As with the offering of goods and services, there needs to be a certain degree of targeting at people in EU countries. For example, if you merely collect web traffic data without targeting individuals in the EU, this is unlikely to be covered.
What does this mean for American companies?
This all means that GDPR will affect a lot of American companies, whether or not they have any specific presence in the EU.
If you are not established in the EU, but a small proportion of your revenue comes from people in those countries, then you are faced with a choice. You could choose to stop providing (or at least marketing) your goods and services to these people in order to avoid taking the steps necessary for compliance.
However, remember that most of GDPR’s rules are good practice in any event. Adhering to them shows to your customers that you take data security seriously, and it puts you in a good position should state or federal government ever decide to enact similar legislation at home.
Cutting yourself off from European markets could ultimately limit your future growth. By contrast, working to make your organization and its products GDPR compliant, whether on your own or with help, is an investment which is likely to pay off in the long run (TrueVault, for instance, offers products that makes your applications and data warehouses GDPR compliant).
Some (limited) exemptions
There are very limited categories of processing exempted from GDPR:
- Processing related to activities which are outside of EU law.
- Processing related to law enforcement and immigration control.
- Processing by individuals carrying out purely personal or household activities (such as keeping an address book).
As can be seen, none of these will apply to the vast majority of organizations.
GDPR will apply across the business world, wherever organizations have an EU presence or deal with the personal data of people in the EU. The sanctions for breach will potentially be harsh - we will look at these in detail in the next article.
As a result, it is vital to check whether your organization is covered by the new rules, and if so to take all steps necessary to make it compliant. If you need any help making your products, data warehouses or processes GDPR compliant, please get in touch.