The EU General Data Protection Regulation (GDPR) came into force in May of 2018. One of the reasons that the EU introduced the law is to give people more control over their personal data.
To prepare for the GDPR, companies have had to think carefully about their data protection and privacy practices.
What’s Covered by the GDPR?
The GDPR covers the “processing” of “personal data.” Article 4 (1) of the GDPR defines personal data as information that can be used “directly or indirectly” to identify a person. This is a very broad definition. Aside from the obvious things like a person’s name, it can also include a person’s:
- Email address
- Cookie data
- IP address (even where it’s a dynamic IP address)
“Processing” is a broad term. The GDPR covers any sort of automated data processing activity or filing (electronic or otherwise). This might include:
- Asking your customers to fill out a contact form on your website
- Storing a list of phone numbers
- Sending direct marketing emails
According to Article 3 of the GDPR, the regulation applies to any person or organization that:
- Offers goods and services in the EU (whether they’re charged for, or provided for free);
- Monitors the behavior of people in the EU.
So, your company might not be “offering goods and services” in the EU. But you will still fall under the GDPR if you:
- Target EU residents with advertising cookies, or
- Store your EU users’ IP addresses in your log files
Does the GDPR Apply Outside of the EU?
The GDPR covers all processing of the personal data of people in the EU – whether the actual act of processing is performed in the EU or not. Not only EU companies have to comply. Companies based anywhere else in the world – for example the United States, Canada, Russia – must comply, too.
While some laws, like the upcoming California Consumer Privacy Act, only apply to certain types of companies, the GDPR could apply to anyone that falls within its scope – including individuals, charities, public bodies and businesses.
Note that there are some exemptions, but most businesses will have to comply.
How to Comply with the GDPR
If the GDPR applies to you, you’ll want to know how you can avoid infringing it.
EU data protection authorities can impose fines and other penalties on companies that breach the GDPR. It’s not entirely clear how this will be enforced against non-EU businesses. But even the threat of a sanction will create a huge headache for your company.