General Data Protection Regulations became a part of EU law in May 2018. Before GDPR, European data protection laws were deemed unable to mitigate the risk of data theft. Furthermore, individuals had few rights over their data. EU lawmakers sought to revolutionise the data security landscape and introduce new regulations that were more fit to deal with the increasing prevalence of technology in everyday life.
Whose data does GDPR protect?
The EU enacted GDPR, but the regulations affect any company or organisation that collects, maintains, and uses the personal data of EU citizens, regardless of the physical location of their headquarters. One must be careful of the phrase “EU citizens”; for compliance requirements, it is easier to consider people located within the EU. GDPR itself uses the phrase “natural person” when describing those whose data is concerned. A “natural person” refers to an individual human, as opposed to a “legal person”, which may be a person, an entity, or an organisation. The phrase “natural person” is used as GDPR concerns the data collection of any individual-not just EU citizens-whose data is collected while they are within the borders of an EU country.
If an organisation collects the data of an EU citizen while they are outside of the EU’s borders, the organisation is not required to comply with GDPR. GDPR is clear; it is not the citizenship of the individual which is important, but their location. GDPR has no jurisdiction outside of the EU.
An explicit example may help to illustrate this point further. If an Australian citizen is travelling an EU country, such as France, and provide personal information during a transaction, such as providing their email address to use local WiFi services, this personal information is covered by GDPR as France in an EU member state. The Australian citizen has rights concerning their data, even if they travel back to Australia, as that data was collected in the EU. The organisation must treat all data they collect with equal care, regardless of the nationality of the individual to whom it pertains.
GDPR does not cover the reverse case of an EU citizen travelling in Australia. Any data that they provide to an organisation in a similar transaction to above would be subject to individual data protection laws within Australia.
Which organisations are subject to GDPR compliance?
Any business or organisation that processes the data of people living within the EU, no matter the location of that organisation’s headquarters, should comply with the GDPR stipulations. Any organisation found to be non-compliant with GDPR has to pay fines, once again regardless of where that organisation is based. Ultimately, this means that an organisation may require two different data processing routes; one for data collected within the EU, and one for all other data.
In contrast to the EU, in the US no overall law governs the privacy of an individual. There are laws which protect sensitive data in particular fields, such as the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry and the Gramm-Leach-Bliley Acy (GLBA) in the finance industry.
This added complexity may prove a hindrance for smaller organisations who may not have the resources to deal with these two datasets. Ensuring that all employees are familiar with two separate procedures invokes costly and time-consuming training programmes.
Some experts have suggested that US companies that deal with data collection both inside and outside of the EU may adopt a “one-size-fits-all” approach. That is to say, create a set of procedures for data processing and protection within their company which complies with both US laws and GDPR. Therefore, the organisation only has to deal with one processing route. Adopting this approach should streamline their data handling process, and simplify employee training sessions.
If US organisations do follow this guide and create a universal approach, EU citizens based in the US may see the benefit of the GDPR even though they are not covered by it.
Any company that has offices within the EU is subject to the GDPR. The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” Even if an organisation only collects or processes data through a subsidiary or branch of the company which is based in the EU, they are bound to be compliant with GDPR.