We know that the new General Data Protection Regulation (GDPR) legislation that became enforceable late last month applies to companies that are based or do business in the European Union, but what does this new legislation mean for those of us outside the EU?
Some of you might be tempted to skip this post now because you’re not in the EU. You could be mistakenly thinking this doesn’t apply to you. You couldn’t be more wrong.
The GDPR legislation uses the term increased territorial scope, which means that it applies to companies that are in the EU and also out of the EU.
If your business collects any form of personal data from an EU citizen, whether they are presently living in the EU or not, then you are required to not only comply with GDPR, but you are subject to their 20 million Euro penalties for non-compliance.
Personal data could include information collected during a transaction in an online store, or even analytics data describing their online behaviour if it takes place in the EU.
The actual wording of Article 3 of the GDPR confirms it’s applicability to any ‘data subject’ in the EU. This means a person of any citizenship living in the EU, their nationality does not matter. This legislation aims to protect all personal data of any one in the EU, even those people visiting.
If you are a business with a target market in the EU, then the GDPR applies to your business.
So if a business is trying to target its goods and services for sale within the EU, it will be caught by GDPR.
Research conducted in the UK, showed that many businesses failed to understand this reach of GDPR, and many are not yet ready despite the compliance date passing. It’s expected that only 38% of businesses would be ready in time. This figure is worse overseas and many businesses remain non-compliant at May 25, 2018.
So you might be thinking how can this be enforced? If your business is based outside the EU, and you were targeted because you did not meet the GDPR requirements then at the moment the process for serving formal enforcement is unclear. Conceivably however, they could use a court injunction, they could block an online service, or they could seize goods at the border.
Many organisations don’t know whether they hold data on EU customers, but it’s probably time to check whether you might need to take action on GDPR.