The EU General Data Protection Regulation (GDPR) is a landmark data privacy regulation that took effect on May 25, 2018. Its primary goal is to safeguard the personal data of EU citizens and residents. However, its impact extends beyond the European Union (EU), and compliance is required for all businesses dealing with sensitive personal data, regardless of location. This means that businesses inside and outside the EU must adhere to strict rules of GDPR when collecting, processing, and using the personal data of EU individuals, and non-compliance can result in significant fines. This article explores the GDPR’s global impact on businesses.
Get to know GDPR in detail, in our ultimate guide to GDPR.
Does GDPR apply to non-EU businesses?
The GDPR applies to entities of any size and industry that handle the personal data of individuals who are citizens or residents of the EU. This regulation’s territorial scope is described in Article 3. It encompasses:
- Processing of personal data within the activities of a controller or processor based in the EU, regardless of the processing location.
- Processing of personal data of EU-based data subjects by a controller or processor not established within the EU, with processing activities related to offering goods or services to such data subjects in the EU or monitoring their behavior within the EU.
- Processing of personal data by a controller not established in the EU but operating in a location where public international law applies Member State law.
Therefore, the GDPR is applicable to non-EU organizations that offer goods or services to or monitor the behavior of individuals within the EU, which will discuss in the coming section. Additionally, in rare circumstances, it may apply to non-EU entities that are subject to Member State law via public international law.
When does EU GDPR apply to businesses outside the EU?
The GDPR regulation has a significant impact on businesses located outside the EU, with many organizations from other countries aligning and incorporating the regulation into their data privacy programs. The regulation applies to businesses in countries outside the EU under certain conditions outlined in the law. Let us examine a scenario where a non-EU organization might have to comply with the GDPR.
Scenario 1 – Organizations Offering Goods or Services
If an organization operates outside the EU but offers business services and goods to EU citizens or residents, and collects, processes, and/or uses their personal data, the GDPR regulation applies to them.
To comply with the GDPR, the organization must adhere to the following requirements:
- The organization must comply with the rules of the law.
- The organization must comply with GDPR irrespective of whether they offer services from outside the EU, their home country, or serving EU citizens and residents.
For example, a cloud-based service provider that is not based in the EU but offers services to EU customers and accepts their online payments falls within the scope of GDPR.
Scenario 2 – Monitoring the Behaviour of EU Citizens and Residents
The GDPR states that organizations that monitor the behavior of EU citizens and residents also fall within the scope of the regulation.
To comply with the GDPR, the organization must adhere to the following requirements:
- The organization must collect, store, and/or process the personal data of EU citizens and residents.
- The organization must comply with the regulation.
This simply means that any organization that collects, stores, and/or processes the personal data of EU citizens and residents is subject to GDPR.
- If an organization uses web tools that track cookies or the IP address of people from the EU who visit their website, that organization most likely falls within the scope of GDPR and is expected to comply with the regulation.
- If an organization collects or processes personal data of EU citizens and residents on behalf of another organization for activities like targeted ad campaigns or advertising that involves tracking a person’s activities online, they must also comply with the regulation.
In both scenarios, the organization does not necessarily need to have a physical presence in the EU, but its operations of collecting, storing, and processing personal data of EU citizens and residents make it liable to the GDPR rules.
Now that we are aware of the applicability of the GDPR Regulation, let us move on to understanding the exceptions for GDPR applicability that are outlined in the regulation.
Here’s a quick checklist on how you can comply your business website with GDPR:
What are the GDPR exceptions?
GDPR outlines a few exception cases wherein, in the given scenarios, the law will not apply to the organizations.
Scenario 1: Purely personal or household activity
The GDPR does not apply to those activities, individuals, or organizations that collect personal data for “purely personal or household activity.”
For instance, if you are collecting personal data such as email addresses and phone numbers to send invitations to friends and family members for a party, the law does not apply to you. GDPR only applies to organizations engaged in activities that are “professional or commercial activity.”
Scenario 2: Law enforcement
The GDPR does not apply even to those organizations that collect personal data of EU citizens/residents on behalf of the government or follow mandates as per law enforcement for the prevention, investigation, detection, or prosecution of criminal offenses or the execution of criminal penalties or for preventing threats to public safety.
In that case, GDPR does not apply to the organization, government bodies, or law enforcement for processing such data.
Scenario 3: Processing by Member States
GDPR does not apply to the processing of personal data by Member States for activities incorporated in Chapter 2, Title V, of the Treaty on European Union.
Scenario 4: SMEs with fewer than 250 employees
The GDPR provides an exception for organizations with fewer than 250 employees. However, small- and medium-sized enterprises (SMEs) are not exempt from the GDPR, but the regulation does free them from record-keeping obligations in most cases (see Article 30).
Does GDPR apply to UK businesses?
Since Brexit, a new data protection law has been introduced in the UK called UK GDPR, which is similar to the EU GDPR Regulation. Here are some important points for businesses in the UK to know about the impact of EU GDPR and UK GDPR:
- Both EU GDPR and UK GDPR apply to businesses that process personal data: Any organization that processes personal data must follow the regulation of that region. This means that businesses processing the personal data of EU citizens/residents must comply with EU GDPR, and those processing the personal data of UK citizens must comply with UK GDPR.
- The regulations apply globally: EU GDPR and UK GDPR apply to businesses irrespective of whether they are established in the EU or UK region. If a business processes the personal data of citizens or residents of either region, they are expected to comply with the regulations.
- Businesses may need to comply with both regulations: If a business is established in either region and processes data of citizens and residents of both regions, they will be expected to comply with both EU GDPR and UK GDPR.
In summary, businesses in the UK need to be aware of both EU GDPR and UK GDPR regulations and ensure compliance if they process the personal data of citizens or residents from either region.
Does GDPR apply to US businesses?
The GDPR is a global data privacy regulation that applies to all organizations, public and private, that process or store EU citizens’ personal data. Many US businesses are subject to the regulation, in addition to US compliance regulations like CCPA.
US businesses may be liable under the GDPR if they:
- Process EU residents’ data regularly
- Handle special data categories like health status, racial or ethnic origins, sexual orientation, or religious beliefs
Click here to know how to comply with GDPR if you have a US-based business.
Businesses globally that deal with the personal data of citizens and residents of the EU must keep in mind that they are expected to know, understand, and comply with the GDPR. Therefore, regardless of whether a business is established within the EU or outside it, compliance with the GDPR is mandatory for all those who fall within its scope.
By complying with the GDPR, you not only avoid penalties but also build trust and confidence with your customers. Protecting personal data is not only a legal obligation but also a moral and ethical responsibility of businesses. Failure to comply with the GDPR can result in significant financial and reputational damage to your business. Therefore, it’s crucial to prioritize GDPR compliance and consult with a compliance expert today.
Frequently asked questions
Is the GDPR only for European countries?
GDPR applies to all countries that are part of the European Union (EU) and the European Economic Area (EEA). However, it may apply to businesses in non-EU/EEA countries if they collect and process the personal data of EU citizens and residents.
Does GDPR Apply to non-EU Citizens?
The primary objective of GDPR is to safeguard the personal data of all EU citizens. As a result, individuals who are not EU citizens may not have their data rights specifically covered by GDPR. However, if a non-EU citizen is currently residing in an EU state, their data rights are protected in relation to data collected by EU organizations.
It is important to note that some businesses may provide personal data of their EU employees, clients, and partners to non-EU contacts. While non-EU citizens may not be able to make data request rights under GDPR, many businesses are still providing similar services to respect their privacy rights.
Additionally, if a non-EU citizen’s personal data is collected by a business while they are residing in an EU Member State, their data rights are protected under GDPR for as long as they remain in an EU state.
Does GDPR allow data to be stored outside the EU?
Per GDPR, to transfer data to a third country, two stages must be followed. Firstly, data transfer must be legal, and secondly, it must be determined if the transfer is permitted to the third country. Secure third countries, which provide a comparable level of data protection to EU law, are listed by the European Commission. However, if a country doesn’t have an adequacy decision, other methods like standard contractual clauses, binding corporate rules, codes of conduct, or certification of the data processing procedure can be used to ensure sufficient data protection. Exceptions such as obtaining consent from the data subject legitimize data transfer to a third country.
Author Bio: Narendra Sahoo is the Founder and Director of VISTA InfoSec, a global information security consulting firm. With 25+ years of experience in IT, he specializes in information risk consulting and compliance services. VISTA InfoSec offers a range of audit, consulting, and certification services including GDPR, HIPAA, PCI DSS, and SOC2. Since 2004, the company has assisted multinational organizations worldwide in achieving compliance and securing their IT infrastructure.