The General Data Protection Regulation - the GDPR - is a European law, so it only applies in Europe right?
Well, not exactly, because the Internet is everywhere. Basically, if your business targets EU customers, there is a good chance you have to comply with the GDPR -at least for those customers or users in European territory. “Europe” for GDPR purposes means the EU, Norway, Iceland, Lichtenstein, and the UK (under the UK GDPR).
So who does the law apply to?
1. Any “establishment” in the EU, regardless of its legal form, that processes personal data. -
An “establishment” is a “stable arrangement,” a like anor office, agency, or a branch.
2. Anyone offering goods or services to customers located in the EU (even if those services are free).
3. Anyone who “monitors the behavior” (gathering data) of people in Europe
The GDPR applies to European territory, not to European people).
This means that companies offering goods or services online to people in Europe may be subject to the GDPR even if they have no operations in Europe. (just selling a product online that Europeans might buy, does not necessarily subject a company to the GDPR).
To Recap - the GDPR applies (generally speaking) to
- entities with any operations in the EU,
- any entity offering goods or services to people in the EU; and
- any entity that monitors the activity of people in the EU.
That’s a lot of companies!
So if you think the GDPR might apply to your organization, it’s time to talk to legal counsel to start getting a plan in place to make sure you follow the law. - so it’s critical that you understand your role in helping your company to comply with the GDPR.