Are you a non-EU organization that believes that GDPR doesn’t apply to you? In this blog we take a quick look at what you need to be aware of before the GDPR deadline on May 25, 2018.
GDPR heralds something new for every business. It might be the new fines associated with those organizations that fail to report a data breach. For others, it might be the impending focus on consent.
For a whole swathe of non-EU businesses the most important thing is increased territorial scope. These three words essentially mean one thing: GDPR applies to any business regardless of geographic location that has at least one customer based in the EU.
For companies from Peru to Pakistan, GDPR will have a significant impact on how they obtain consent for the collection, use and disclosure of personal data of their European customers.
Those non-EU controllers and processors of personal data of EU individuals who don’t abide by the new rules face significant fines of up to €20 million or 4% of annual worldwide turnover (whichever is largest) – exactly the same level of penalty handed out to EU organizations who don’t comply.
Indeed, many of the same GDPR rules apply. For example, non-EU resident controllers and processors who need to comply with GDPR must appoint a EU representative to be a point of contact for their European personal data subjects and regulators – an equivalent to the Data Protection Officer (DPO) role required in theEU.
Data across borders
For EU businesses, GDPR also imposes restrictions on the transfer of personal data to countries outside the EU and international organizations. These data transfers can only take place to non-EU countries that are judged by the European Commission to provide for an “adequate” level of personal data protection. These countries currently include, but are not limited to: Argentina, Canada (commercial organizations), New Zealand, Switzerland and the USA. Other non-EU countries that don’t make the grade are able to transfer data under certain circumstances only.
Are you a non-EU organization with EU customers?
If the above applies to your business then there are several things you need to do:
- Will your business fall foul of GDPR? Read our GDPR checklist blog to ensure you comply.
- Will you be processing data cross-borders? If so, will you need to change your data processes and procedures? Check out our guide to GDPR to learn more.
- Will GDPR compliance affect your observance of local data laws? Ensure you double check your requirement needs with your local information/data commissioner’s office.
- Have you appointed a EU data representative? Check out our guide to GDPRto learn more.