Chances are you have heard about the European Union’s General Data Protection Regulation (GDPR), a European privacy law approved by the European Commission that becomes effective May 25, 2018, but you are probably wondering how your business may be affected and what you need to know about the EU’s new regulation.
The EU’s GDPR replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to strengthen individual data and privacy protection for individuals residing within the EU. It sets regulations for how data is treated.
How does this affect businesses outside the EU?
Does your business have a commercial website or mobile app? If so, you are likely collecting data from people worldwide. The GDRP expands the jurisdiction of the law to impact businesses based outside the EU by applying to all companies processing and holding the personal data of people residing in the EU, regardless of the company’s location. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors. Due to the broad scope, this may include your business.
What is “personal data” under GDPR?
Personal data is any information relating to an identified or identifiable individual which means information that could be used, on its own or in conjunction with other data, to identify an individual. Again, this is an incredibly broad scope. Personal data would include not only the data that most understand to be personal, such as social security numbers, names, physical addresses, email addresses, but information like IP addresses, behavioral data, location data, biometric data, financial information, and more. Furthermore, even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual (pseudonymization is a method to substitute identifiable data with a reversible, consistent value).
Am I “processing” data under GDPR?
According to the GDPR, processing data is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, any activity involved in collecting, managing, using or storing the data will fall under the umbrella.
Do I need to comply?
Generally speaking, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you. You should consult with legal counsel regarding the full scope of your compliance obligations.
Additionally, even if you do not believe your business will be affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later. You should consult with an attorney to help you navigate the GDPR.