The impact of GDPR outside the European Union

The General Data Protection Regulation (GDPR) applies to all businesses and organisation within the EU who are involved in the processing of private and personal data. The protection of data is a must, otherwise, organisations face hefty fines (up to 20 million Euros or 4% of annual turnover, whichever is higher) by the regulator if they are non-compliant with the General Data Protection Regulation (GDPR).

Should businesses outside the EU be worried?

Yes, they should!  The reality of the GDPR is forcing businesses in the EU to reconsider how, why and where customer data is stored, and countries outside of the EU should be looking closely at their existing privacy laws.

The real likelihood of the heavy GDPR fines should be enough to shock any organisation who use or access EU data into ensuring GDPR compliance and overseas businesses should bear in mind that the GDPR compliance will, without doubt, apply to them and are being urged to comply with the regulations.

How are businesses outside the European Union affected?

There are two specific instances whereby a business outside the European Union will be affected by the GDPR  and is covered in full by Article 3 of the regulations. If a business stores, processes or manages private data and:

  • offers goods or services to individuals within the European Union;
  • has a system whereby it is involved in monitoring the behaviour of individuals within the European Union.

Therefore any tracking or monitoring of the behaviour of your EU consumers on your website, for example, using Google analytics, will need to be conducted with the GDPR impact in mind.  Any such data capturing will need to be conveyed to the data subject at the time of capture with a full explanation of what your organisation’s intentions are and how you wish to use such data.

A further aspect of non-EU countries and the GDPR impact is the issue of international data transfers.  Businesses will need to ensure that their methods of transferring data globally adhere to GDPR compliance by reviewing company procedures for collecting, storing or transferring data. It is recommended that businesses who deal with data globally must review their policies and procedures and update accordingly.

Key points to bear in mind:

  • Ensure that any data transferred or stored by either third countries (non-EU countries) or EU countries meet the requirements of the GDPR of the GDPR.  
  • Countries that are deemed to have received an “adequacy decision” means that country’s privacy laws are in line with the GDPR. Countries that have the required adequacy protection are:
    • Andorra
    • Argentina
    • Canada (must be subject to PIPEDA)
    • Switzerland
    • The Faeroe Islands
    • Guernsey
    • Israel
    • Isle of Man
    • Jersey
    • New Zealand
    • Uruguay
  • Multinational companies are required to have in place “Binding Corporate Rules (BCR)”, rather like a code of conduct for multinationals who have to meet the strict privacy requirements and principles of the GDPR.  
  • BCRs will not be granted upon a multinational unless specific provisions are in place such as auditing, training, policies and procedures will need to be transparent and clear on issues of security and the quality of data being managed.
  • Any data that is transferred between the EU and the US (and vice versa) must demonstrate compliance with the EU-US Privacy Shield.

The GDPR is legally binding

Regardless of where the business or organisation is located, the GDPRis legally binding and will apply globally in the interest of private international law.  As such the GDPR impact cannot be ignored and there is no option to opt-out. The fact that GDPR has far-reaching repercussions but is limited to just these two situations may prove to be difficult for businesses overseas to know precisely what is expected of them with regards to GDPR compliance.

Businesses worldwide depend upon capturing and storing data and, (unless businesses and organisations specifically prohibit any data from the UK), rely on such data for marketing and sales efforts. The first year of its enforcement was 2018, putting many to the test and businesses should have in place a detailed checklist to ensure GDPR compliance.

For example, a US online retail business offering goods or services to US customers, but not specifically customers in the EU, what is expected from such businesses concerning GDPR? A failsafe option, regardless of where your customer is mainly based, is to look closely at the regulations and take the recommended steps to ensure GDPR compliance as follows:

  • Update and ensure all personnel keep a copy of the website privacy policy in line with the GDPR.
  • Privacy statements should be easy to read, provide a transparent and open terminology so that customers know what they are signing up to.
  • Appoint a Data Protection Officer (DPO).
  • Conduct and implement a GDPR audit.
  • Check if you require consent from customers and users to process their data taking into account the GDPR requirements.
  • Review third party contractual agreements to ensure any third-party data processors are GDPR compliant.
  • Research and ensure compliance with the rights provided to customers and users, in particular, the GDPR rights to access, amend, delete, and download their data
  • GDPR training and workshops to ensure GDPR best practice application across the organisation.
  • Implement detailed policies and procedures to deal with requests by individuals to access their data and subsequent requests to delete, download and amend.

Every organisation is different, and therefore any of the GDPR obligations placed upon them will vary accordingly.  The emphasis will be on researching the exact requirements and taking the necessary steps to establish correct preparation. Businesses outside the EU dealing with individuals within the EU should ensure they interpret the regulations as best as possible and document within the company policies and procedures exactly how it has incorporated the GDPR. A good way of ensuring GDPR compliance is to take a look at how some of the conglomerates such as Google and Twitter have implemented it within their organisations.

Work closely with GDPR experts

If the situation gets confusing, GDPR or data privacy experts on the Seers platform can provide advice. It is essential to bear in mind that the GDPR is not designed to be a burden upon businesses. Rather, its goal is to streamline the legal requirements to protect data, ensuring a uniform approach that all businesses can understand and adhere to, and to ensure that in an age of cybercrime and malicious, unwarranted acquisition and treatment of personal data is prevented.

The rules are simple, and organisations need to take on board that individual data does not exist for cold calling, hard selling or for targeting customers for advertising campaigns.

Organisations must undertake regular GDPR audits, ensure that they have implemented GDPR compliant policies, processes and procedures, train their staff on GDPR obligations and implement GDPR compliant cookie consent solutions on their company websites.