Do I need to comply with GDPR
(outside of the EU)?

The European Union’s (EU) General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It also probably affects you, even if your firm doesn’t have an entity or office in the EU, if you’re targeting people based in the EU, then you should read on.

What is GDPR?

In a nutshell, GDPR is about protecting the “personal data” of EU citizens (in terms of collection, storage, processing and how it is destroyed). It covers the right to give and remove consent, the right to request data and the right to be forgotten. It applies to the firm, not just the domain used by the individual to make the request. Further, organisation roles are defined for the “controller” and “processor” of the data and either or both organisations are responsible and potentially liable. This is the biggest shake-up of EU rules in terms of data privacy and security in over 20 years. GDPR replaces the 1995 EU Data Protection Directive. And importantly, GDPR is a “regulation” not a “directive” thus there is less room for country-by-country interpretation.

GDPR applies even if no financial transaction has taken place. Your firm simply needs to be ‘established’ in the EU.

In the context of GDPR, what is personal data?

Article 4 notes that personal data “means any information relating to an identified or identifiable natural person (known as a ‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”. Or more practically, information that is obviously personal or could be used to track down a person such as a full IP address (such as Google Analytics uses by default) or an identifier attached to a person’s persona/profile (which a number of marketing automation systems use).

Territorial scope of GDPR

Article 3 notes that your firm is subject to GDPR if you process personal data of someone residing in the EU. GDPR applies even if no financial transaction has taken place. Your firm simply needs to be ‘established’ in the EU. To be established can be as simple as your non-EU based firm offering services to Europeans.

Are you in scope for GDPR?

Any of these factors may be strong indications of your non-EU organisation being within scope of GDPR:

  • Use of an EU language (that is different from your own and markets you operate in)

  • Use of an EU currency (that’s the Euro plus 10 others)

  • Use of an EU or EU member state domain extension (eg .eu, .be, .de etc.)

  • Use of references to any EU based customer

  • Use of advertising targeting EU based folk

How does GDPR benefit EU residents/citizens?

GDPR includes a core foundation of “privacy by design”, the “right to be forgotten” (aka data erasure), strong penalties, mandatory breach notifications and perhaps most importantly simplified and strengthened opt-ins and the ability to change one’s mind. Another big benefit to EU folk is that the broad jurisdiction of the law will help cover them against misbehaviour from both local and international organisations (whether or not they legally have a presence in that country). Think: internet behemoths and institutionally large organisations. And while it is unlikely to affect professional services firms, there are also provisions that require parental consent for young folk up to the age of 16. (Be aware recruitment programmes targeting high school students.)

The penalties can be big: 4% of worldwide revenue or €20 million (whichever is greater).

GDPR non-compliance penalties

The penalties can be big: 4% of worldwide revenue or €20 million (whichever is greater). And while many professional services firms may have independent entities or partnerships in each jurisdiction, a newspaper headline may be just as damaging and the increased complexities of managing data between entities are likely to make compliance all the trickier.

Are you ready for GDPR?

Gartner predicts that 50% of organisations within the scope of GDPR won’t be compliant in time. Yet at the same time this is the biggest shake-up since 1995’s cookie directive, so one might suspect that the media will be ‘secret shopping’ to check whether the big brand names do in fact tick the boxes. If you’re not sure whether you’re (a) in scope for GDPR and/or (b) GDPR compliant, it might be worth putting in a call to your local OGC, data privacy and/or risk management folk to make sure you’ve got your bases covered.

Interest piqued?

Here are some links for further reading on GDPR:

  1. European Commission > Law > Data protection

  2. Australian businesses and the EU General Data Protection Regulation

  3. Wikipedia’s “General Data Protection Regulation”

Disclaimer There is much yet to be clarified about these new laws. Interpretations are administrative and yet to be tested. This article should not be taken as legal advice. Non-EU firms should look at the scope of their activities and ensure that appropriate risk management and GDPR compliance plans are in place. (And keep an eye out for those ‘secret shopper’ registrations, form registrations, contacts and then subsequent information requests…)