The General Data Protection Regulation (GDPR) was introduced into EU law on the 25th of May 2018, and replacing the existing data protection framework. The regulations were designed to increase transparency, security, and accountability by data controllers and data processors. Furthermore, it was introduced to improve the rights of people in the EU to their data, while creating a EU-wide standard for data protection.
GDPR is a now key piece of EU law. Any company that has offices within the EU is subject to the GDPR. The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” Even if only a branch of subsidiary of the main organisation is located within the EU, the entire organisation is required to be GDPR-compliant.
It is important to note that it is not just companies that have physical locations within the EU who are required to comply with GDPR. Any business or organisation that collects or processes the data of people located within the EU, no matter where the organisation itself is located, are covered by GDPR. For example, if an Australian citizen was travelling in the EU and their data was collected while they were in France, this data exchange would be required to comply with GDPR. The same is not true for a French citizen travelling in Australia. It is the location of an individual when the data exchange occurs, not their nationality or citizenship, which is important.
Countries Affected by GDPR
Although GDPR will affect organisations around the world-particularly large, multinational organisations-its introduction will have the strongest affect organisations based within the EU, as these organisations are likely to process high amounts of data collected within the EU.
Here is a list of EU member countries:
- Republic of Cyprus
- Czech Republic
- United Kingdom
Following the 2016 “Brexit” referendum, the United Kingdom is set to leave the EU. Despite their imminent departure, GDPR was introduced to their laws at the same time as the other member states. GDPR is now UK law, and they will remain as part of the law even when the UK is no longer in the EU.
GDPR Outside of the EU
As mentioned above, it is not the physical location of an organisation which is important when considering whether it is covered by GDPR, but the location of the people whose data it handles. Although the impact of GDPR is likely to be less than that for the EU member states themselves, as data from people within the EU is likely to be only a small part of the overall quantity of data that they handle, they still must be fully aware of GDPR.
Many organisations are likely to dismiss GDPR as irrelevant, as they do not reside within the EU. Ignorance about GDPR is not an acceptable excuse for a violation. The fines for non-compliance are hefty; either a fine of €20 million (around $23 million), or 4% of the company’s annual turnover-whichever is higher. No matter which country an organisation has their headquarters, they are liable to be fined by the EU for a violation.
Some countries already have existing agreements with the EU regarding the handling of data of EU citizens. For example, data exchanges between the US and the EU was covered by the EU-US Privacy Shield. This framework covered exchanges of personal data for commercial purposes. GDPR covers a greater number of transactions than the EU-US Privacy Shield, and companies who are already compliant with the existing framework are still expected to update their business practices to comply with the new regulations.
Some countries may struggle more than others to ensure that their organisations are fully GDPR compliant. Where there is a cultural expectation of privacy, GDPR protocol is likely to be easily adopted. If consumers do not expect privacy, and therefore organisations are unaccustomed in giving it, then difficulties may be encountered. An example of a country which falls into the latter category is the US. The US has no laws protecting “general data”. Some types of information are protected, such as health information covered by HIPAA. GDPR-type regulations don’t exist, and organisations may find it difficult to adjust their business practices to its stringent requirements.
Due to the changes that GDPR brings, companies outside the EU-including US companies-are faced with a choice; either proceed operations with two different systems to process of personal data collected either inside or outside the EU, or create a single system that is compliant will all applicable laws.
The issue of sticking with two separate systems adds complexity to the operation, and may prove a hindrance for smaller organisations who may not have the resources to deal with these two datasets. Ensuring that all employees are familiar with two separate procedures requires costly and time consuming training programmes. Although the development and introduction of a single system may be costly upfront, in the long term, it may create a more streamlined and efficient process. For example, if a US organisation processes health data collected within the EU and the US, its data processing procedure must be HIPAA and GDPR compliant. In this way, US citizens may reap the benefits of GDPR despite not being directly covered by it.
Transferring Data Outside of the EU
Chapter 5 of GDPR stipulates the stringent requirements which must be met when transferring personal data to a third country or to an organisation outside of the EU. Data transfers can only occur when an adequate level of legal data protection measures can be shown to be in place in the third country. This is to ensure that the personal data of an individual is secure, no matter which country in which it is stored. According to the EU Commission, the US does not have a high enough level of protection for it to allow personal data to be transferred there. It remains to be seen if the US will change its data security policies following GDPR.