The world has made it past the start of the EU’s General Data Protection Regulation (GDPR) without any major explosions. Much like Y2K, this is undoubtedly because companies were prepared. Everyone has become so peppered over the past few months with notices about privacy policies being updated that it has become the topic of humor across the Internet. While EU-based firms and global enterprises were diligent to ensure they were compliant, the updates continue even after the deadlines, and many companies outside the EU are still wondering what GDPR means to them. In this post we’ll talk about who GDPR applies to, what that means to you, and why you should be paying attention.
First off, the General Data Protection Regulation basically says that people have the right to control any data about them. It applies to any organization who holds any data on EU citizens. Obviously, that is going to mean any organization that operates in the EU, as well as global organizations that include EU citizens among their customers, such as Facebook and Netflix. But you don’t need an office in the EU to have EU customers. Lots of non-EU firms do things like back office data processing and have come to discover that their customers are global firms, so by virtue of their customers having data about EU citizens, they do as well; that means they must be GDPR compliant. If this applies to you, you have probably heard about it from your customers already. But what about a company with no presence in the EU and no customers saying you need to be compliant? Well, unless you’ve been checking the passports of all your customers, chances are you have some customers who are EU citizens, so GDPR applies to you.
Even if GDPR technically applies, if you are a non-EU-based business, you may be thinking, “So what?” Well, since enforcement just started last week, the fact is we don’t know for sure. Chances are the regulators are going to be focused on EU-based firms and gently encouraging compliance at first, so if you do not have a deliberate EU presence, you have some time to figure these things out. That said, one should consider a couple things before deliberately deciding not to be compliant:
- Being in violation will effectively preclude you from ever expanding into the EU, and
- If the EU regulators do bring action against your firm — while they might not be able to force you to pay fines as long as you are outside the EU, action could be taken should any officer of your firm ever travel to the EU.
That said, there is an even bigger reason you should try to be compliant: this is something that customers are starting to expect. Any of your customers who came from the EU will begin to expect this as a fundamental right, and as global enterprises become compliant and offer privacy protection features to all their customers, non-EU citizens will start to expect it as well. By extension, GDPR has become the best practice when it comes to privacy protection, so if anything ever goes wrong (such as a data breach), showing that you were following best practices will go a long way to protecting you against accusations of wrongdoing (standard disclaimer: I am not a lawyer, and this is not intended as legal advice). For example, had Facebook been GDPR compliant a couple of years ago, there is a good chance that Zuckerberg would not have been pulled in front of the US Congress and European Parliament over the Cambridge Analytica data. Of course, global enterprises might treat data for their EU and non-EU customers differently, but that likely leads to operational inefficiencies and higher costs over the long term.
If you need help becoming GDPR compliant, BuboWerks can help! Contact us to discuss our services such as a GDPR evaluation, compliance strategy, Data Protection Impact Assessments (DPIA), or fractional Data Protection Officer (DPO). Any company that needs to become compliant must have a Data Protection Officer, yet these are in short supply outside the EU, and a full-time DPO is more than most Small-to-Medium Businesses (SMBs) need, so BuboWerks can work with you to provide a DPO for just the time that you need them.