General Data Protection Regulation
Key issues for a non-EU business in connection with the GDPR
27 April 2017
A lot has been written about how the EU's General Data Protection Regulation (GDPR) will effect European businesses, but perhaps less so on its effect on non-European business. Here are four points to bear in mind:
1. The GDPR radically increased territorial scope of EU personal data protections by extending its jurisdiction not only to the controllers processing personal data in the EU, but also to non-EU controllers and processors processing personal data of individuals who are in the EU, if:
(a) such processing takes place in the context of activities of an establishment in the EU; or
(b) relates to:
- offering of goods, services to such data subjects in the EU (irrespective of whether the goods/services are offered for a fee or free of charge), or
- monitoring of the behaviour of the data subjects, as long as their behaviour takes place in the EU.
2. The GDPR introduces significant fines, including revenue based fines, which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million. Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10 million. The non-EU resident controllers and processors who are obliged to comply with the GDPR must appoint representatives within the EU to be a point of contact for the EU personal data subjects and regulators for the purposes of enforcement of the GDPR, but the designation of the representative shall be without any prejudice to legal actions that can be taken against respective controller/processor.
3. In terms of cross-border transfers, the GDPR largely reflects the regime under the current Data Protection Directive, although it does expand the list of appropriate safeguards which allow the controller or processor to implement international transfer (for instance, the GDPR expressly recognises binding corporate rules and sets out conditions to be met in order to permit the international transfer). Therefore, in light of the increased penalties and the general media attention to non-compliance in the area of data protection, a multinational may be willing to audit its existing intra-group data transfer arrangements or consider developing binding corporate rules.
4. The GDPR will start to apply from 25 May 2018, and by this date a non-EU business has to determine:
- Whether, taking into account its business model and the existing processes, it is in scope of the GDPR?
- What does it mean for the non-EU business to comply with the GDPR both in terms of restructuring the operations and on-going costs?
- How the cross-border intra-group personal data transfers are structured and whether any changes to these processes may be required?
- Whether compliance with the GDPR can conflict with the need to continue to comply with the existing data protection rules in the home jurisdiction of the non-EU entity?
- Whether any restructuring of operations/business is necessary/feasible to ensure compliance/minimize compliance costs?
- Who should be appointed as a Representative, and what the arrangements with such Representative shall include?