Here at Ellisons we have spent the last few months supporting clients in the UK and beyond with their efforts to ensure that they are compliant with the new EU General Data Protection Regulation (GDPR) before the implementation date of 25th May 2018.
However, it is clear that a number of our contacts and clients outside the EU don’t have a clear understanding of the impact the GDPR may have on them.
Article 3(2) of the GDPR (Territorial Scope) makes it clear that the GDPR also applies to businesses who are incorporated outside the EU. This means that any business who processes the personal data of EU subjects with a view to offering goods and services in the EU (including free services), or monitoring their behaviour in the EU, will be within the scope of the GDPR.
This will catch a wide range of businesses, but it will clearly apply to online retailers, Software and Service providers, social media platforms and mobile app developers to the extent they provide services to EU citizens.
As a starting point, Article 27 of the GDPR requires these businesses to appoint a representative within an EU member state unless they fall within a very limited exemption based on their processing being “occasional”, not including any large scale processing of sensitive data and unlikely to result in a risk to the rights and freedoms of natural persons. This will be a very difficult test to satisfy for any business which regularly deals with EU citizens.
This representative can be subject to enforcement action in the event of GDPR non-compliance, but this does not mean that the non-EU data controller themselves are able to avoid this.
Instead, the non-EU data controller themselves will also be subject to the full GDPR compliance regime in connection with their processing of this data. This is very extensive (as businesses in the EU have found over the last months), but in terms of practical steps would include as a minimum:-
- Issue of GDPR-compliant Privacy Notices to customers;
- Adoption of appropriate internal policies and procedures in relation to data privacy, security, breach notification and rights of data subjects;
- Putting in place compliant controller/processor agreements with any organisations processing data on their behalf; and
- Record keeping (and potentially maintenance of detailed processing records) to comply with the “accountability” requirement to be able to produce evidence of compliance with the GDPR.
The regime of financial penalties under the GDPR will also apply to these non-EU data controllers. Whilst the maximum levels of €10,000,000 or 2% of global turnover or €20,000,000 or 4% of global turnover (the greater in each case) may be unlikely to be seen in the short term, the level of penalties will clearly be of significant concern.
There may also be specific issues in some jurisdictions. For example US companies would not typically regard an IP address as “personally identifying information” for data protection purposes, whilst under the GDPR this can clearly constitute “personal data”.
The larger technology companies are used to looking at these kinds of cross-jurisdictional issues and have generally taken the appropriate steps well in advance of the 25th May.
However, in our experience there are a raft of smaller, but still substantial, businesses based in the US and elsewhere who will be caught by the extra-territorial reach of GDPR, but who haven’t to date had the knowledge or resources to put in place a compliance regime.
Whilst the 25th May will come and go, the importance of complying with the GDPR has not diminished, and indeed the likelihood of enforcement action and penalties by supervisory authorities will only increase as time goes on and any informal latitude which might be given initially falls away.
As such, it is critical that any non-EU business who are carrying out this kind of processing look at undertaking a data protection audit and the GDPR compliance exercise without delay.
With our background of advising a wide range of UK based companies on the GDPR compliance, and our international reach via our membership of the Alliott Group, Ellisons is ideally placed to assist with this, please contact Seamus Clifford and Jon Bloor for further information.