In May 2018, the General Data Protection Regulations were placed into effect. GDPR was urgently needed in Europe; existing regulations were inadequate to deal with the increasing risk of data theft, and they offered citizens little power over their own data. The creators of GDPR sought to introduce regulations to reduce the risk of data theft to a minimum. By requiring that a number of safeguards are in place, GDPR ensures the protection the integrity of confidential information. Under GDPR, normal citizens are given more rights over the use and sharing of their data.

Whose data does GDPR protect?

GDPR was enacted by the EU, but the regulations affect any company or organisation that collects, maintains, and uses the personal data of EU citizens, whether the organisation is based within the EU or outside of it. Although this phrasing of “EU citizens” seems clear-cut, for compliance requirements, it is easier to consider people who are located within the EU. GDPR itself uses the phrase “natural person” when describing those whose data is concerned. A “natural person” refers to an individual human, as opposed to a “legal person”, which may be a person, an entity, or an organisation. The phrase “natural person” is used as GDPR concerns the data collection of any individual-not just EU citizens, as is popularly believed-who has their data collected while they are within the borders of an EU country.

Furthermore, GDPR does not apply to EU citizens who have their data collected while they are located outside of the EU. GDPR is clear; it is not the citizenship of the individual which is important, but the country in which they are located when their data is accessed by another party. GDPR has no jurisdiction outside of the EU.

An explicit example may help to illustrate this point further. If a US citizen is temporarily residing or travelling in an EU country, such as Spain, and provide personal information during a transaction at a hotel, local shop, or WiFi provider, this personal information is covered by GDPR as the person is located within the EU. The US citizen has rights concerning their data, even if they travel back to the United States, as that data was collected in the EU. The organisation must treat all data they collect with equal care, regardless of the nationality of the individual from whom it was collected.

Vice versa, an EU citizen travelling in the United States would not be covered by GDPR. Any data that they provide to an organisation in a similar transaction to above would be subject to individual data protection laws within the US.

Which organisations are subject to GDPR compliance?

Any business or organisation that processes the data of people living within the EU, no matter where the organisation itself is located, should comply with the GDPR stipulations. Similarly, any organisation that is found to be non-compliant with GDPR will face penalties, regardless of their location. This ultimately means that an organisation may be faced with having two different data processing routes; one for data collected within the EU, and one for all other data.

In comparison, in the US there is no overall law that governs the privacy of an individual. There are laws which protect sensitive data in particular fields, such as the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare industry and the Gramm-Leach-Bliley Acy (GLBA) in the finance industry.

This added complexity may prove a hindrance for smaller organisations who may not have the resources to deal with these two datasets. Ensuring that all employees are familiar with two separate procedures invokes costly and time consuming training programmes.

Some experts have suggested that US companies that deal with data collection both inside and outside of the EU may adopt a “one-size-fits-all” approach. That is to say, create a set of procedures for data processing and protection within their company which complies with both US laws and GDPR. Therefore, the organisation only has to deal with one processing route. This should streamline their data handling process, and make the training of employees easier. The risk of non-compliance with GDPR would also be minimised. If US organisations do follow this approach and create a universal approach, EU citizens based in the US may see the benefit of the GDPR even though they are not actually covered by it.

Any company that has offices within the EU is subject to the GDPR. The law states that “any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union.” Even if an organisation only collects or processes data through subsidiary or branch of the main company which is based in the EU, they are bound to be compliant with GDPR

Published by Calida Jenkins