Blog
Why Non-EU based Businesses may be affected by the EU General Data Protection Regulation (GDPR)?
By Yves Le Roux, (ISC)² EMEA Advisory Council Co-Chair & Privacy Workgroup Lead
Yves will be hosting the half-day workshop GDPR: Charting Experience on the March to May 2018 at (ISC)² Secure Summit MENA , in Dubai on the 21st and 22nd November 2017.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The regulation was adopted in April last year. It becomes enforceable from 25th May 2018 and, unlike a directive, it does not require national governments to pass any enabling legislation; and is thus directly binding and applicable.
Interestingly, in a recent study , PwC stated that over half of US multinationals say that GDPR is their top data protection priority, with 24% of respondents planning to spend under $1 million for GDPR preparations, while 68% also said that they will invest between $1 million and $10 million. Additionally, 9% expected to spend over $10 million to address GDPR obligations.
In fact, the main reason for this is because of the extension of the territorial scope of GDPR. In order to know if as a non-EU based business you need to be GDPR compliant, according to the Article 3 of this regulation, you have three main questions to answer:
1. Is your company established in EU?
An organisation may be established where it exercises “any real and effective activity – even a minimal one” – through “stable arrangements” in the EU. Some examples of establishment:
- If a company has a legal representative in the EU for the purposes of providing the company’s services or sales offices in the EU promoting their products, the data processing of these entities (inside or outside the EU) is subject to GDPR.
- The use of a local agent (who is responsible for local debt collection and acting as a representative in administrative and judicial proceedings), and the use of a postal address and bank account for business purposes, is considered as an establishment.
2. Is your non-EU established organisation offering goods or services to data subjects who are in the Union?
Factors such as the use of a language or a currency, generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union. Some examples of offering goods or services:
- A non-EU company creates a global portal, with a large catalogue of a broad range of products and services that are sourced from third parties. The catalogue is accessible worldwide, and might include European languages — and possibly a currency conversion tool to see prices in Euros — thereby presumably constituting an offering to people in the EU. If personal data is exchanged through this portal, it will be subject to GDPR.
- If a Turkish electronic commerce company targets Turkish-speaking data subjects residing in the EU (e.g. Germany) by giving the possibility of sending goods to the EU and its website is only written in the Turkish language, then that company will fall under the scope of the GDPR, even if the Turkish language is not one of the official languages of any of the Member States of the EU.
3. Is your non-EU established organisation monitoring the behaviour of data subjects who are in the Union?
Monitoring specifically includes the tracking of individuals online to create profiles, including when they are used to make decisions to analyse/predict personal preferences, behaviours and attitudes. Some examples of monitoring:
- If for security reasons, a system analyses user behaviour on a website – not only across a website’s total population, but on an individual user basis. If his or her behaviour takes place within the Union, the system must be GDPR compliant.
- If an e-mail service mines the content and metadata of each email message sent and received to target advertising for data subject who are in the Union, the system falls in the GDPR scope.
Every non-EU business will have to evaluate the specific details of their data processing activities in the light of these three questions and decide on the necessary steps to take. In order to help its constituents better understand these issues, the (ISC)² EMEA Advisory Council has created a GDPR Task force and developed a number of resources, including the aforementioned workshop and a downloadable overview of the 12 Areas of Activity and their key supporting tasks . You can also join us at Secure Summit Mena in Dubai to discuss your and other members’ experiences in implementing these requirements.