If your company has a tiny Internet presence and does not do business in the European Union (EU), you may believe that the General Data Protection Regulation (GDPR), which became effective on May 25, 2018, does not apply to your company. The scope of the regulation is broad, however. The GDPR has the potential to change how companies handle the personal data they collect about people around the world, even if the company does not do business in the EU. In my last post, I discussed the background behind the GDPR and the basic components of the law. In this post, I will discuss the law’s jurisdiction, including why its effects are likely to extend beyond EU jurisdiction, as well as the definitions of principal terms within the GDPR. In my final post in the series, I will explain several key points that businesses should know about GDPR compliance.
GDPR applies to the personal data of European Union “subjects,” both in EU countries and abroad, and in jurisdictions where the law of an EU member state applies. It applies to companies that operate in the EU, as well as those outside the EU that collect personal data of EU subjects. Thus, a company that does not think of itself as doing business in the EU may nonetheless fall under the GDPR’s enforcement jurisdiction if it is collecting and processing personal data from EU “subjects.” In other words, if a company has a website, and its website collects the personal data of visitors to that website, and stores or does anything with that information, that company should pay attention to GDPR if there is any potential for personal information of an EU subject to be collected. Which, with the Internet being the Internet, it is very difficult to know for certain.
Other experts and industry leaders have suggested that companies treat GDPR standards as “best practices” in handling personal data and comply with GDPR standards, regardless of whether the company processes the personal data of EU subjects. One reason to treat all the people a company collects personal data from the same is because it simplifies data management. If only one set of rules applies to all data, then the company does not need to worry about whether it has applied the right set of “rules” to that individual’s personal data.
Another reason to consider applying GDPR standards to all individuals a company collects personal information from is fairness. Take consent, for example. Under GDPR, consent to a company’s use of a person’s personal data must be “freely given, specific, informed and unambiguous” and it may be withdrawn at any time. If a company were to obtain consent from some customers in a manner designed to meet GDPR standards but apply a lesser standard for other customers, there is a risk in erroneously misclassifying a person and applying the lower standard to an EU subject. By doing so, the company would and violate the GDPR and anger customers who realize they, essentially, have fewer rights as relates to their personal data.
GDPR is a complex regulation. You should consult with both technology and legal professionals in order to determine what measures, if any, are recommended for your business in order to be in compliance.
Photo credit: www.thoughtcatalog.com