Where and Who Does the GDPR Apply To?
What is GDPR? What does it mean for businesses? Is it only relevant to EU citizens or everyone? Where is it applicable?
The European Union has adopted the General Data Protection Regulation, also known as the GDPR, to ensure data protection across the European Union. The regulation was introduced to protect individuals from privacy violations and give them control over their personal information.
The GDPR applies to all companies processing data from EU residents, regardless of where they are located. Thus, companies outside the EU are required to comply with the GDPR if they collect data from EU customers. This means that if you are operating an online business that collects and processes personal data from EU visitors, you must be compliant with the GDPR.
The GDPR in a Nutshell
The GDPR is a new law that replaces the 1995 Data Protection Directive. It’s designed to strengthen consumer rights by giving people more control over how their personal data is used online. The data protection law came into effect May 25th, 2018. The main objective of this law is to give internet users supreme control over how their data is collected, used, and protected by online businesses, apps, and websites. The companies processing UK residents’ data must use technical safeguards like encryption, and the law also sets higher legal thresholds to justify data collection.
How Did the GDPR Come About?
For the EU to be “fit for the digital age,” the EU started on a mission to execute data protection reforms in 2012. Four years later, they reached an agreement on what these laws are and what they should entail. The main objective was the introduction of the General Data Protection Regulation.
The original plan was to implement the changes by 2016, but due to several delays, the deadline was pushed back to May 25th, 2018. In order to reach this deadline, the EU had to work around the clock to make sure everything was ready.
What Does the GDPR Do?
The GDPR aims to create a single data protection framework within the EU. This means that every company that collects any kind of data must adhere to the same rules and regulations. The goal is to provide greater transparency for consumers so they can understand what exactly happens to their personal information when they are using a website or an app.
Under the GDPR, organizations have strict obligations regarding the following:
• Consent — Organizations must obtain consent before collecting any personal data. They must clearly explain what data will be collected and why it's being collected. Consumers must be able to withdraw consent at any time.
• Security — Businesses must take reasonable steps to secure data against loss, misuse, unauthorized access, disclosure, alteration, or destruction.
• Transparency — Organizations must let customers know what type of data they're collecting and how it'll be processed. Customers must get easy-to-understand information about their data whenever they ask for it.
• Access — Individuals must be given access to their own data. They must be able to easily request copies of the data held about them.
• Accountability — Businesses must be accountable for any errors made while processing data. If there is a data breach, organizations must notify affected individuals promptly and inform them of the details of the incident. Click here to learn about the best ways to communicate the security breach notifications.
What Is Personal Data Under the GDPR?
There are many definitions of personal data from different perspectives. From a business perspective, personal data includes things such as names, email addresses, home addresses, phone numbers, IP addresses, credit card details, browser history, purchase history, etc. For example, if you sign up for a newsletter with your name and email address, then we consider that to be personal data.
From a privacy perspective, personal data includes anything that could identify someone. For instance, if you post pictures of yourself on social media, then those photos would fall under personal data. Under the GDPR, personal data also includes genetic data and biometric data.
Who Needs to Be Compliant??
Any company that processes data of EU residents must now meet the requirements of the GDPR. This includes any business that uses websites, apps, email marketing, social media platforms, etc. You need to scan the GDPR compliance checklist to understand how your business can be compliant.
How Can I Know if My Business is Affected by the GDPR?
If your business collects or processes data about consumers who live in the EU, then you need to be aware of the changes under the GDPR as well. Thus, you should check if your business falls within the scope of the regulation from time to time.
If you do fall within its scope, you may have to make some changes to your current practices. These include:
• Complying with the new rules around consent;
• Ensuring that all personal data is accurate, complete, and up-to-date;
• Notifying customers when their data is being processed;
• Maintaining records of data subjects; and
• Providing clear and transparent explanations of what happens to personal data.
What Are the Penalties for Noncompliance?
There are fines of €20 million or 4% of annual global revenue, whichever is higher. In addition, there could be criminal charges for serious offenses.
Does the GDPR Apply to Companies who Encrypt their Customers' Data?
If your business receives personal data from EU residents, then you need to comply with the GDPR. However, if your business receives data from EU residents and then encrypt them, then you should worry about the GDPR less. To learn more about encryption requirements under the GDPR, click here.
When Does the GDPR Apply Outside the European Union?
There are two scenarios when the GDPR applies outside the EU. To make sure you have all the knowledge needed in this case, let's discuss each of these scenarios.
1. Offering goods or services
The world is interconnected and has become a village where the internet has facilitated the purchase and delivery of services from one country to the other within a short time. In simple terms, two partners living in two different countries, one in Paris and the other in Canada, can purchase Valentine flowers online and get the flowers delivered to the individual's local stores.
The same can happen when buying other properties. For example, a Dutch couple visiting Italy that wants to buy a house in Germany can log into a real estate company website in Germany and find out about various houses available in the area. They can select a suitable property and pay online via credit card. In this case, the websites have to collect and process personal data of the Dutch couple to be compliant with the GDPR.
If your company is in the UK but you offer services worldwide, including EU residents, then specific requirements apply due to the Brexit situation. You can find these requirements here.
2. Processing data on behalf of others
A person residing in the UK can use another country’s website to order flowers for their significant other. The site will ask them to provide information, such as a name, address, etc. This information will be used by the website to deliver the flowers to the intended recipient. In this scenario, the company processing the data is based in the UK, but it is doing so on behalf of someone else. So, it doesn't matter whether the company is located in the UK or elsewhere. In simple terms, if you are collecting data and monitoring the behavior of the EU residents, you will be required to comply.
Exceptions
It’s also important to state that there are two main exceptions to this law. The first exception is that if you have a social media group with your friends that collects personal data, including your friend’s personal ID, phone number, and emails, just to organize a picnic during a special occasion, then you don't have to comply. This means that the GDPR only applies to businesses that are doing this for commercial and professional reasons. So, if you are just collecting data to fund a project with your friends, you don't have to comply with the GDPR.
The second exception to this law includes all companies with less than 250 employees. However, this doesn't mean that all small and medium enterprises are excluded from the law. According to Article 30.5, the GDPR doesn’t affect them in most cases.
Does the GDPR Apply to Individual Websites?
No! As mentioned above, according to Article 30.5 this law only applies to businesses with more than 250 employees. Thus, it does not apply to individuals. So, if you want to start an informative blog, you do not need to comply with the GDPR. You may even run your own website without any compliance requirements.
Keep in mind that if you are selling products or services to customers outside the EU, you will have to comply with the GDPR and the laws of the country where you are operating. The exception here is when you are collecting data for commercial use, such as selling services and products to EU residents. In this case, according to Article 2 of the GDPR, you will have to comply.
In simple words, the GDPR can apply to different players in the market. It applies to all businesses that hired more than 250 employees and process EU resident's personal data. Businesses that don’t comply with this regulation may receive a costly penalty, which should be avoided at all costs.
To have a piece of mind and never worry about the GDPR compliance, especially the changes that are going to be introduced and hefty fines, the best solution would be to add the most secure helpdesk out there that does all the work for you! Yes, you can hire more IT and legal experts, but when you compare the cost of that to employing all-in-one helpdesk software, that may not be your best choice.