On the 25th of May 2018, The EU will replace its Data Protection Directive and enforce much stricter controls on the handling of personal information and individual privacy. While this regulation is from the EU, it could have significant effects on those doing business with customers in the European Union.
This means that thousands or even millions of non-EU businesses could be affected by the new regulations and thus, those businesses should know what it is and how it affects them. In this article, we’ll briefly discuss what the new GDPR regulations mean for businesses operating outside the European Union who have customers within it and how they can bring themselves up to compliance.
So, let’s jump straight in.
What is GDPR?
We’ve previously gone into detail about what GDPR is and how it affects both IoT data and video surveillance data in other articles which you can read here and here, however, for the purposes of this article, we’ll briefly explain what GDPR is in a few bullet points.
- The General Data Protection Regulation (GDPR) is a European regulation that was passed on April 12th 2016 and comes into effect after a two-year transitional period in which companies were advised to become compliant. The GDPR regulations become enforceable on the 25th May of this year.
- The idea behind this new regulation is to standardize data privacy laws across the whole of Europe and give significantly more power and protection to individuals living within the European Union. This comes seemingly just in time in the wake of the Facebook/Cambridge Analytical scandal in which millions of users had their data accessed and used without their explicit consent or permission.
- the GDPR also aims to expand on currently existing regulations as well as improve data handling practices across Europe in order to keep up with the ever-changing landscape that is data handling and privacy. In order to do this, it has given much greater powers to those individuals whose data is being collected and used.
- The GDPR will also require businesses to acquire and demonstrate a subject’s consent to their data being processed and consent cannot be presumed through individuals not challenging the use of their data. It also states that children under the age of 13 cannot give consent on their own behalf.
- Non-compliance with the regulations can bring with it fines of up to €20 million or 4% of global annual turnover depending on which is greater. Fines such as these demonstrate the kind of teeth the GDPR regulations will have and ensure that companies know just how important being compliant is.
What Does It Mean for Non-EU Companies?
Now, you may think that, due to the GDPR being an EU regulation that it would only apply to EU businesses that operated inside the European Union, however, this is not the case. The General Data Protection Regulations have an increased territorial scope that means that they can apply to data controllers outside of the EU as well as within. This could mean huge fines for any businesses or enterprises found to be non-compliant with the regulations while still dealing with European-based individual’s personal data. In some cases, businesses and enterprises may even need to hire an EU representative.
The kinds of non-EU businesses and organisations that the GDPR applies to are those that are in control of and perform any kind of processing of the data of European individuals in a way that relates to either;
- Offering of goods or services to data subjects within the European Union (regardless of whether the goods or services are offered for free or with a price attached)
- The monitoring of the behavior or online habits of a data subject so long as that monitoring takes place within the European Union.
Specifically, the GDPR expands the list of existing safeguards that are appropriate for a controller or processor of data to then go on to implement international transfers of data. This means that businesses and enterprises looking to collect or process data from individuals within the EU will need to ensure they have all the applicable safeguards implemented to ensure they are compliant with the GDPR. In light of this, many companies are auditing themselves or bringing in binding in-house data protection rules that fall in line with those of the GDPR.
With only limited time left to bring themselves up to compliance, both European and international businesses and enterprises that deal with and handle the personal data of individuals within the European Union are racing against the clock in order to meet the May 25th deadline. Significant fines and an extremely undesirable reputation damage in the area of data protection are just two of the many reasons why both EU and non-EU companies will want to avoid any GDPR irregularities and, with data becoming increasingly valuable to nearly every commercial and industrial process on the planet, one can only imagine that they’ll be doing everything they can to become compliant in time.