Who does the GDPR apply to?

The General Data Protection Regulation (GDPR) is a data privacy law that protects individuals within EU member states and the European Economic Area. While GDPR protects individuals within Europe, its scope includes jurisdictions across the world.

Firms worldwide need to know their exposure to GDPR compliance risks. This article will explain who must protect user privacy. If you know that you are covered, you will be well-placed to cut the risk of regulatory penalties.

Key takeaways

GDPR applies to organizations that process the personal data of citizens of the European Union and other residents. This does not just apply to European businesses. Non-EU businesses selling within the EU need to comply with GDPR.
Non-EU businesses must comply with GDPR if they a) offer services to individuals in an EU country or b) monitor the online behavior of individuals in the EU.
The definition of "offering services to EU citizens" includes showing prices in EU currencies. It also includes shipping to EU countries and displaying websites in EU member-state languages.
Relevant forms of monitoring behavior include using tracking cookies to record user behavior. It also includes tracking IP addresses of users based in the European Union's member states.

The two most important things to understand about the scope of GDPR are who the regulations cover and where regulations apply.

Who does GDPR cover?

European privacy regulations are not limited to EU citizens. Instead, the General Data Protection Regulation applies to "natural subjects."

Natural subjects are people who are physically present within the borders of EU or EEA states. They could be from France or Germany. But natural subjects can also be American or Chinese. Nationality does not matter. Location is the critical factor.

Regulated entities also need to understand the difference between the EU and the European Economic Area (EEA). The EEA is larger than the EU. Alongside the core 27 EU nations, it also includes Iceland, Liechtenstein, and Norway.

GDPR applies within the EEA. So while GDPR is often referred to as a European Union regulation, the scope of the regulations is slightly wider than the borders of the EU.

The legal status of the United Kingdom is also slightly different. The UK is not part of GDPR, but the Data Protection Act 2018 mirrors GDPR privacy protections. However, following Brexit, the UK is not technically a GDPR-compliant jurisdiction.

Where is the territorial scope of GDPR?

One of the critical aspects of GDPR is that it is an "extraterritorial" regulation. Extraterritoriality means that GDPR rules extend to businesses anywhere in the world.

GDPR applies to all organizations that process the data of individuals in Europe. This includes entities based in the EU as well as non-EU organizations.

Any entity with its headquarters in the EEA must comply with the GDPR. This includes businesses, charities, and governmental bodies.

Regulatory bodies inside the European Union can also impose fines on companies in Asia, Latin America, or the United States. The location of the business is irrelevant. What matters is the location of the individuals who visit websites or purchase goods and services.

GDPR applies to organizations that process the personal data of EU citizens and residents. Personal data can be used to identify the individual it belongs to. There are many types of personal data. If a company collects one of those types, it must comply with the GDPR. Examples include:

Individual photographs
Social security numbers
Addresses and phone numbers
IP addresses
Driving license numbers
Bank details

There are two main categories of GDPR-compliant organizations:

Organizations in the EU that process personal data of EU citizens and residents.
Non-EU organizations that offer products/services to EU citizens and collect personal data to monitor their behavior.

Organizations do not need to have a physical presence in the EU. They just need to sell to customers from EU countries and/or collect their personal data. Several factors could trigger GDPR compliance for non-EU organizations. Examples include:

Targeted ads. Companies might aim digital advertising campaigns at buyers in the EU.
Language. Websites written in an EU language in a way that reaches out specifically to EU citizens.
Currency. Websites that advertise prices in currencies used by EU nations.
Shipping. Enterprises that list shipping rates or options to European destinations.
Data gathering. The use of direct or indirect tools to harvest data from visitors located in Europe.
Data processing. Processors may contract with EU-based organizations to process user data.

For example, imagine a US-based eBay seller that sometimes sends items to France. In this case, personal data collected by the seller includes postal addresses and names. It doesn't matter how many items the seller sends to France. Disclosing a single piece of personal data is a GDPR violation. So, the seller must comply with the GDPR.

Another company sells apparel on an eCommerce website. The company website collects information about visitors. It uses this data to deliver targeted ads and understand the audience of the business. If the site harvests data from visitors inside the EEA, GDPR applies.

One way of understanding GDPR is by considering which organizations lie outside its scope. This only includes organizations that:

Do not process personal data at all.
Do not sell to individuals within the EEA and have technical measures that prevent EU visitors from engaging with business assets.
Do not monitor the behavior of EU citizens or residents. For instance, a US-based charity might provide information to a European audience without selling anything or gathering data.

Organizations like this are uncommon in today's tightly connected digital marketplace. Most eCommerce vendors and service providers fall within the scope of GDPR. And they must take action to comply.

Organizations worldwide need to think carefully about how they collect, process, store, and transfer personal data from EU residents.

GDPR has a major impact on international data processing and data protection. Organizations must secure international data transfers. This requires cross-border controls to ensure an adequate level of security.

The visual above shows one way of creating GDPR-compliant data flows within international organizations. The organization, in this example, uses regional storage solutions to meet regulatory obligations.

Regional storage systems allow companies to keep personal data within the EU. GDPR applies to the personal data of EU residents, even if that data travels to non-EU jurisdictions. Storing it in a European location makes it easier to manage data and ensure user privacy.

Regional storage also makes it possible to put in place authorization systems. This ensures that only authorized individuals can access personal data of European citizens.

Companies transferring data outside the EU also need to sign agreements with data recipients. There are two forms of agreement to know about:

Binding corporate rules (BCRs). BCRs set out the data protection rules used by the data controller to protect individual privacy. They must also include ways to enforce compliance with internal subsidiaries or other bodies that handle user data.
Standard contractual clauses (SCCs). SCCs govern data transfers to third parties located outside the EU. They ensure that third parties operate adequate data security controls in line with GDPR requirements.

Compliance officers across the world must assess whether GDPR applies to their organization. And they must isolate the departments or processes that must comply with the GDPR. But how can organizations make this assessment and ensure watertight compliance?

Analyze your customer base

Companies need to understand whether they process personal data on natural subjects within the EEA. This can be deceptively complex. For example, companies may deal with people who move between North America and Europe. But they may not be aware of these movements.

Employees working remotely from the EEA also qualify as natural subjects. Enterprises need to ensure that data transferred from remote workers to offices outside the EU is secure. And they also need to safeguard the personal data of EU-based staff members.

Remember that the location of the individual is critical

When assessing your GDPR obligations, location is everything. GDPR regulates the privacy of people inside the boundaries of the EEA/EU. The location of a data processor or data controller does not matter. If companies collect data from individuals in European countries, they must comply.

On the other hand, GDPR does not cover EU citizens if they travel outside the territorial scope of the regulations. If a US-based company deals with European visitors but never sells to individuals across the Atlantic, GDPR does not apply.

Understand your data processing operations

Some companies are surprised to learn how much personal data they process and store. Audit your data handling processes to detect flows regulated by GDPR.

For example, companies may use tracking cookies that do not discriminate between EU and non-EU website visitors. GDPR requires organizations to obtain consent for tools that monitor user behavior. The organization involved will need to design controls to identify EU or EEA-based traffic and request consent.

Make sure you have a lawful basis for gathering data

If you collect personal data in the EU, ensure your processes meet the legal standards for compliant data gathering. You will find a list of lawful reasons to collect customer data in Article 6 of the regulations.

When writing compliance policies and making legal assessments, it helps to assign a Data Protection Officer (DPO). DPOs are not mandatory under GDPR. However, appointing a voluntary DPO improves compliance and can reduce fines if violations occur.

Think about the size of your organization

GDPR applies to large and small organizations, with few exemptions for SMEs. However, not all SMEs need a comprehensive GDPR compliance plan.

If you operate a small non-EU business that primarily sells in your home market, GDPR compliance is a secondary concern. National regulators within the EU are very unlikely to pursue businesses outside Europe due to a few rogue cookies.

However, this is not the case if hundreds of customer transactions are at stake. And it definitely does not apply to multi-national corporations.

Remember that the size of GDPR penalties partially depends on the size of the company involved. Regulators can fine larger companies €20 million or 4 percent of global revenues. The highest penalty for smaller businesses is €10 million or 2 percent of turnover.

GDPR compliance is a core regulatory challenge for companies across the world. As an extra-territorial regulation, GDPR applies virtually everywhere. Any organization that handles people's personal data within the EEA/EU must be GDPR compliant.

Compliance is not an optional extra. Fines for GDPR violations can reach 4 percent of global revenues. And regulators are often keen to impose the highest possible penalty when businesses compromise individual privacy.

Organizations can cut their regulatory risk by focusing on data protection and individual privacy. Relevant compliance actions include:

Requesting consent to collect and share customer data
Explaining the legal basis for data collection and usage
Applying data security controls to safeguard personal data
Cutting the amount of personal data that businesses collect
Assessing third parties to ensure GDPR compliance
Providing users with control over their data. Allowing access to personal data and deleting data when requested.
Creating secure systems for international data transfers

Avoid unnecessary compliance penalties and retain customer trust. Create a GDPR compliance strategy that meets regulatory obligations. And put in place secure, streamlined data handling processes.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.