Does GDPR apply to my company?
The first blog post in our series introduced some of the fundamental concepts of GDPR. In this second blog post, we answer a question that many business owners are asking: how do I know if my business needs to be GDPR compliant?
Does my company need to be GDPR compliant?
It’s a question that’s been Googled more than once. The short answer is: probably.
The intention behind GDPR is to protect personal data belonging to citizens of the European Union (“data subjects”). The Regulation introduces various rules that companies controlling and/or processing personal data must follow to ensure this special class of data is secured.
But the Regulation is not just limited to companies headquartered in an EU country, in fact, the territorial scope of GDPR is quite broad. According to the Regulation, any company that fulfills any of the following qualifications will be subject to GDPR:
- Company is established in the EU (or somewhere else under EU law).
- Company offers goods or services to data subjects based in the EU.
- Company monitors the behavior of data subjects located in the EU.
Establishment in the EU
If you are established in the EU, then all processing related to that establishment is covered, even if it takes place elsewhere.
But “establishment” is not restricted to companies with a European address. The concept of “establishment” is quite broad and could apply to any company with a branch, representative, address or bank account in an EU country.
If you are covered by GDPR but your company is not established in the EU, you will need to designate a representative within the EU (under Article 27) with some exceptions. This rule does not apply if the processing is occasional, does not include a large amount of sensitive information (i.e., a data subject’s ethnic origin, religious beliefs or criminal convictions) and is unlikely to involve a risk to people’s rights and freedoms.
Offering goods and services
If your company processes personal data by offering goods or services to clients residing in the EU then your company is subject to GDPR. The Regulation applies even if these goods/services are being offered for free. The word “offering” has a special meaning in this case, and is explained in more detail in chapter 2 of our e-book.
Monitoring behavior
Most companies monitor consumer behavior on their website to some extent. Some examples of monitoring behavior include: logging user behavior and interactions as someone uses your application or visits your website; tracking past purchases to make suggestions of new products for users on a shopping website; or even conducting market research. European clients must be targeted to a certain degree in order for your company to be covered by GDPR. If your company passively monitors web traffic, and gets some activity from European users, it is unlikely that the Regulation will apply here.
My company is based in the United States, am I still subject to GDPR?
Many United States companies fall within the scope of GDPR because they are established in the EU, process the data of people residing in the EU, or run a website that monitors the behavior of users, some of which are in the EU.
This leaves business owners in the United States with two paths: comply with GDPR or withdraw from doing business in Europe.
We recommend compliance, because laws that are similar to GDPR are following close behind. In 2020 the California Consumer Protection Act (CCPA), goes into effect, and some big tech companies have called on the U.S. government to craft a federal personal data protection law.
If your business needs to comply with GDPR or CCPA, or you just have questions about best practices for data protection, schedule a phone call with us today.