On 25 May 2018, the General Data Protection Regulation (GDPR) is due to come into effect across European Union (EU) member states. The GDPR brings a significant extension of the territorial scope of the EU data protection regulations, catching a large number of overseas businesses.
Indeed, the GDPR considers not only the location of the processing but also the location of the individual whose data is being processed.
1. The GDPR will apply to all organisations that are established in the EU and are processing personal data in that context. Therefore, your organisation will fall within the territorial scope of the GDPR if it is processing personal data in the context of the activities of an establishment of a data controller or a data processor in the EU. GDPR will apply regardless of whether the processing actually takes place in the EU or not.
It is important to note that data processors will also be caught, provided they have an establishment in the EU. Organisations cannot escape the application of GDPR by processing data outside of the EU. Outsourced service providers could fall under the scope of the GDPR, for example, such as IT support, HR support, or data storage facilities.
2. The GDPR will also apply to organisations that are not established in the EU where:
– the organisation is offering goods or services to individuals in the EU; or
– the organisation is engaging in monitoring or profiling activities of individuals in the EU (for example, carrying out cookie profiling / behavioural advertising).
For example, a South African company without any EU subsidiaries which would offer free social media services via its website hosted outside of the EU to individuals in the EU, would fall under the scope of GDPR.
In the same way, a South African tourism accommodation booking business using cookies to track past EU-based customers browsing in order to target specific hotel adverts to them, would be subject to GDPR.
With the GDPR due to come into force in less than a year, it is now the right time for organisations outside of the EU to begin assessing their operations to determine whether or not the GDPR will apply.
If GDPR does indeed apply to your organisation, you will have to determine what changes or other steps may need to be taken to ensure compliance:
- have you appointed a data protection officer with sufficient means and powers, as well as a representative based in an EU member state who will act as a point of contact for the regulators ?
- are you compliant in the way you collect, store and process personal data?
- are personal data kept secure in accordance with the security principles of the GDPR ?
The deadline for enforcement of GDPR is fast approaching and you have to make it your top priority in the months to come!
PPM Attorneys can help you with your compliance project.