The European Union’s (EU) General Data Protection Regulation (GDPR), which became effective on May 25, 2018, has the potential to change how companies handle the personal data they collect about people around the world, even if the company does not do business in the EU. In my first post in this series, I discussed the background behind the GDPR and the basic components of the law. In my second post, I discussed the law’s jurisdiction, including why its effects are likely to extend beyond EU jurisdiction, as well as key definitions to help understand GDPR. In this final post in the series, I discuss what businesses should know about GDPR compliance.
As discussed in my previous post, GDPR only applies to a company’s data collection to the extent that the EU has jurisdiction over the company. While maintaining a physical presence in the EU is the obvious example of when GPDR jurisdiction applies to a company, a company might also be subject to GDPR compliance if it collects or processes data from people in the EU, if the company collects or processes data from a person who is an EU resident even if the people are outside the EU, or if the company collects or processes data from people in jurisdictions outside the EU subject to EU law.
Even where there are no GDPR concerns, a business might want to consider implementing practices consistent with GDPR compliance because customers outside the EU are going to become increasingly aware of GDPR and are likely to start demanding similar privacy protections. See, for example, this recent Seattle Times article instructing readers on how to adjust their privacy settings on various popular websites.
What does compliance look like? Online resources abound for companies to assess what they need to do to be in GDPR compliance. The following summary of online resources related to GDPR compliance is not intended to be exhaustive, nor to provide legal advice for achieving compliance. Rather, these resources are intended to provide a starting point for understanding the basics of GDPR compliance for non-EU businesses.
- The GDPR checklist provides an online “filter” to help businesses determine what their role is under GDPR based on whether the business determines why data is processed (and thus would be a Data Controller under GDPR) or whether the business merely stores or processes data for another company (and thus would be a Data Processor under GDPR). Note that GDPR requires Data Controllers who do not process their own data to only work with Data Processors that are GDPR compliant.
- The international law firm Norton Rose Fulbright has created a free online bot, known as “Parker,” for determining whether your non-EU business needs to comply with GDRP. See this Fast Company article summarizing how Parker works.
- Just want the basics? This listicle from Microsoft summarizes five things businesses should understand about GDPR. Microsoft has also published an ebook on GDPR compliance as well as several white papers aimed at explaining GDPR compliance basics (and sell its compliance- related products).
- On the opposite end of the spectrum from listicles, for those who want to go straight to the source, the GDPR’s full text is also available online.
GDPR is a complex regulation. You should consult with both technology and legal professionals in order to determine what measures, if any, are recommended for your business in order to be in compliance.
Photo credit: Ervins Strauhmanis on Flickr