Share this article on:
What Countries are Affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of EU legislation, even institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance.
Institutions that have offices in an EU country or that process the personal data of anyone located within an EU country are obliged to follow the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable that your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the internet.
Main Countries Concerned by the GDPR
As mentioned above, the physical location of the group is not as important in determining the need to comply with the GDPR as the physical location of the data subject – the person whose data is being stored or processed. We have stated already that most groups will find themselves subject to or impacted by the GDPR. Having said that, organizations located within the EU will likely see their practices change to a greater extent. Logically, they are more likely to process a larger amount of data belonging to individuals located in the EU. Organizations in the following countries, the EU member states, will probably be most concerned by the GDPR:
- Republic of Cyprus
- Czech Republic
- United Kingdom
Even with the uncertainty following Brexit and the United Kingdom’s (UK) future legal status regarding EU laws, for now it remains an EU state. This means that the GDPR will become part of UK law and will remain so until such a time as it is changed by the British government. Accepted EU laws will not just stop applying to the UK once they have left the EU.
How the GDPR Will Affect Non-EU Nations
The GDPR will have a global impact even with the relatively small and localized nature of the EU itself. Despite EU countries being more likely to see the most change, non-EU countries are likely to see greater disruption following the introduction of the GDPR. This is due to the fact that organizations located within the EU are more likely to be prepared for the changes as they as more likely to be aware of the introduction of the GDPR. A large number of organizations located outside of the EU are still unaware of the coming change or are of the opinion that they are exempt or will be unaffected.
There is also a sociological difference at play: non-EU societies such as the United States (US) and others do not have the same expectation of privacy as many EU societies. Privacy laws are in place for certain types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates healthcare information; or the Gramm-Leach-Bliley Act, which concerns financial information; but “general” data does not enjoy the same protections. This may place US entities at a disadvantage as they may need to have several procedures in place to correctly handle personal information depending on whether it originates from the EU or the US.
The need to implement, staff, and run parallel systems may introduce too much complexity and drive costs too high for US based organizations to continue offering their services to the EU market. A potential strategy may be for US based actors to adopt an “all or nothing” approach that protects “general” data in a way currently reserved for “sensitive” data. This may allow the same system to be used to comply with both HIPAA, for example, and the GDPR. As of now, it is unclear whether many US groups will attempt this strategy.
Transferring Data Outside of the EU
The GDPR places strict controls on data transferred to non-EU countries or international organizations. These are detailed in Chapter V of the Regulation. Data is allowed to be transferred only when the EU Commission has deemed that the transfer destination “ensures an adequate level of protection”.
Data transfers can also occur in situations where the receiving entity can demonstrate that they meet this “adequate level of protection”, subject to periodic review every four years. The necessary protections may include:
– Commission approved data protection clauses
– Legally binding agreements between public authorities
– Commission approved certification
– Binding corporate rules that are enforced across different entities within the same corporate group
The transfer of data is strictly regulated so as to offer each individual in the EU the same protections and rights under EU law regardless of the location of data storage or processing.
What Does GDPR Mean for Me?
Above, we have seen a brief description of the data concerned by the GDPR – personal data of an individual located within the EU. We have also touched upon who is affected and how groups in some non-EU countries may approach GDPR compliance in an efficient manner. Now, we will outline why compliance is important: the maximum fine for violating the GDPR can be as high as €20 million, or 4% of annual turnover, whichever is higher. Compliance is, therefore, a very important issue.
While some groups will need to adapt their methods of processing data to be GDPR compliant, a common EU legislation will make it easier to deal with data originating from different EU countries.
With the introduction of the GDPR fast upon us, groups must use the time they have left to ensure they will be compliant on May 25. They will need to audit their data and verify that the methods of collecting, processing, and storage – as well as the nature of the data itself – are GDPR compliant.
If the necessary systems are not in place by May 25, organizations run the risk of non-compliance, sanctions, and losing business from their European partners.