The General Data Protection Regulation (GDPR) took effect May 25, 2018, replacing the earlier 1995 European Union (EU) Data Protection Directive. However, many international organizations are still uncertain about it. Does GDPR apply to your organization, and if so, in what capacity? Here are some key questions to help determine where your organization fits within the GDPR framework.
Note that in this context “subject” refers to the “data subject,” or the identified or identifiable person whose personal data (i.e. information relating to that person) is being collected.
1. Where Is GDPR Enforced?
GDPR is enforced in the 28 EU member states and three additional countries (Liechtenstein, Iceland, and Norway), which together constitute the greater European Economic Area (EEA). While technically these regulations apply to any company worldwide collecting data on EEA citizens, the GDPR’s actual enforceability beyond the limits of the EEA is still being determined and would likely come in the form of sanctions or blocking of imports for large enough offenders that do not have an EEA presence.
Ask: Does my company collect personal data on subjects within the EEA, or process said data from companies who do?
2. When Does GDPR Apply to a Non-EEA-Based Organization?
GDPR applies to:
- Organizations anywhere in the world that process the personal data of those in the EEA related to offering of goods and services, regardless of whether payment is exchanged.
- Organizations anywhere in the world that monitor the behavior of subjects as far as their behavior takes place in the EEA.
GDPR does not apply to:
- Organizations not present in the EEA which process the personal data of citizens of EEA member countries while they are abroad in non-EEA countries.
E.g., if an EU citizen travels to the US, a company in the US processing personal data the EU citizen leaves behind while visiting the US is not subject to GDPR. However, if that same company processed data the same EU citizen generated while in the EEA, that activity would be subject to GDPR.
- Organizations not present in the EEA monitoring the behavior of EEA data subjects outside the EEA.
Ask: Where is my company’s data collected? Does my company process data originating from subjects in the EEA?
3. What Is the Difference Between Controllers and Processors?
GDPR has differing requirements for “controllers” and “processors” of personal data, and the definitions can be confusing. Controllers are people, departments, or agencies that determine the data to be collected and what is done with it. Processors, then, are parties that process said data. Here’s the confusing bit: the act of collecting the data is considered a “processing” action.
For example, a research organization collecting the information of people in the EEA who might be interested in participating in a clinical trial is considered a controller under GDPR. If that research organization partners with an email automation provider to contact and record responses of these people, that provider is considered a processor, even if they do not perform any other action besides collecting the data. Note that it is possible for an organization to be both a controller and a processor.
Ask: What is the chain of custody for personal data, beginning with the point of data collection and ending with the person or department in charge of that data? Who in this chain are processors, controllers, or both?
4. What Types of Data Are Subject to GDPR?
Another key point of GDPR is whether the data is anonymized (i.e., impossible to connect back to a single person) or pseudonomized (i.e., separated from identifying information, but capable of being connected back to an individual). Fully anonymized data is not subject to GDPR, but this type of information is of only limited use to a controller. Pseudonomized data is subject to the GDPR and must be stored using a method that, if stolen, renders the data useless to anyone without the necessary means to reconnect the data with real people.
Ask: Is the data my company stores connectable, directly or indirectly, with any single person? If so, is this data appropriately protected?
5. What Is Special Data?
Certain types of personal data require even more care in handling, and this special data is often the type collected in research studies. The GDPR frequently requires that data revealing any of the following be collected through an opt-in informed consent process:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic, biometric, and health data
- Data concerning sex life or sexual orientation
The GDPR strongly discourages collecting this kind of information unless absolutely critical, but it does allow for such collection on the basis of “preventive medicine, diagnosis, or healthcare, scientific or historical research purposes, or public interest in the area of public health.” This means that data collection for the purpose of research may not require consent by the GDPR, though the local regulations on human subjects protection may require it.
6. What Are the Penalties of Noncompliance?
Perhaps the most intimidating aspect of the GDPR is that it grants significant punitive power to regulators in the case of data mishandling. Failure to comply with GDPR can result in fines of up to 4% of a company’s global revenue depending on the scope of the violation.
Ask: Is it worth 4% of my company’s global revenue to ignore GDPR?
If you are still uncertain about how GDPR will affect your company’s data processes, Advarra Consulting can help. Our GDPR experts can set up a personalized GDPR compliance plan so you can conduct international business with confidence, knowing you’re compliant. Watch our free on-demand GDPR webinar and get CEU credit.