What Countries are Affected by the GDPR?

What Countries are affected by the GDPR is a common GDPR question. The General Data Protection Regulation (GDPR) is a European Union (EU) Regulation that was accepted on April 27, 2016. The GDPR will come into force on May 25, 2018. While it is a piece of  EU legislation, institutions located outside of the EU must be aware of its implications and be on their guard to avoid violating it. The physical location of the organization does not exempt or shield it from facing the consequences of non-compliance.

Institutions with offices in an EU country or that collect, process or store the personal data of anyone located within an EU country are required to comply with the GDPR. As businesses and other organizations often have an international focus and reach, it is quite probable your entity will be required to comply with the GDPR – especially if it is an entity that operates or offers services via the Internet.

Main Countries Affected by the GDPR

As mentioned above, the physical location of the institution, organization or business is not as important in determining the need to comply with the GDPR as the physical location of the data subject – the individual whose data is being collected, processed or stored. We have stated already that most organizations will find themselves subject to or impacted by the GDPR. Having said that, organizations located within the EU will likely see their practices change to a greater extent. Logically, they are more likely to process a larger amount of data belonging to individuals located in the EU. Organizations in the following countries, the EU member states, will probably be most affected by the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

As the United Kingdom will still be a member of the European Union when the GDPR comes into force, the regulation will be absorbed into the UK´s domestic law under Clause 3 of the European Union (Withdrawal) Bill. The UK government is also in the process of debating a new Data Protection Bill which is closely aligned to the GDPR with a few minor exceptions (for example the right of individuals to have all social media postings from their childhood deleted) and exemptions (for example exemption from the Data protection Bill for journalists and whistle-blowers in certain circumstances).

Other EU member states are also introducing their own national laws to compliment the introduction of the GDPR. Most of them closely match the privacy and security requirements of the GDPR and, where they deviate, the changes mostly concern the age of consent for children, the need to obtain employees´ consent before processing their data, minor restrictions on the Rights of Individuals, and an extension of “special categories” when it is in the public interest.

How the GDPR Will Affect Non-EU Nations

The GDPR will have a global impact even with the relatively small and localized nature of the EU itself. Despite EU countries being more likely to see the most change, non-EU countries are likely to see greater disruption following the introduction of the GDPR. This is due to the fact that organizations located within the EU are more likely to be prepared for the changes as they as more likely to be aware of the introduction of the GDPR. A large number of organizations located outside of the EU are still unaware of the coming change or are of the opinion that they are exempt or will be unaffected.

There is also a sociological difference at play: non-EU societies such as the United States (US) and others do not have the same expectation of privacy as many EU societies. Privacy laws are in place for certain types of “sensitive” data, such as the Health Insurance Portability and Accountability Act (HIPAA), which regulates healthcare information; or the Gramm-Leach-Bliley Act, which concerns financial information; but “general” data does not enjoy the same protections. For this reason, only US-based organizations and businesses that have Privacy Shield certification will be able to migrate dat from the EU.

The need to implement, staff, and run parallel systems may introduce too much complexity and drive costs too high for US-based organizations and businesses to continue offering their services to the EU market. A potential strategy may be for US-based actors to adopt an “all or nothing” approach that protects “general” data in a way currently reserved for “sensitive” data. This may allow the same system to be used to comply with both HIPAA, for example, and the GDPR. As of now, it is unclear whether many US groups will attempt this strategy.

Transferring Data Outside of the EU

The GDPR places strict controls on data transferred to non-EU countries or international organizations. These are detailed in Chapter V of the Regulation. Data is allowed to be transferred only when the EU Commission has deemed that the transfer destination “ensures an adequate level of protection”.

Data transfers can also occur in situations where the receiving entity can demonstrate that they meet this “adequate level of protection”, subject to periodic review every four years. The necessary protections may include:

– Commission approved data protection clauses

– Legally binding agreements between public authorities

– Commission approved certification

– Binding corporate rules that are enforced across different entities within the same corporate group

The transfer of data is strictly regulated so as to offer each individual in the EU the same protections and rights under EU law regardless of the location of data storage or processing. This has significant implications for organizations in the U.S. that collect, process or store the personal information of EU data subjects. U.S. data protection laws are not considered sufficiently robust by the EU to provide adequate protection, and only organizations certified under the EU-US Privacy Shield agreement will be compliant with GDPR when it comes into force (exceptions exist in certain circumstances).

What Does GDPR Mean for Me?

Above, we have seen a brief description of the data concerned by the GDPR – personal data of an individual located within the EU. We have also touched upon who is affected and how groups in some non-EU countries may approach GDPR compliance in an efficient manner. Now, we will outline why compliance is important: the maximum fine for violating the GDPR can be as high as €20 million, or 4% of annual turnover, whichever is higher. Compliance is, therefore, a very important issue.

While some groups will need to adapt their methods of processing data to be GDPR compliant, the common EU Regulation will make it easier to deal with data originating from different EU countries.

With the introduction of the GDPR fast upon us, groups must use the time they have left to ensure they will be compliant on May 25. They will need to audit their data and verify that the methods of collecting, processing, and storage – as well as the nature of the data itself – are GDPR compliant.

If the necessary systems are not in place by May 25, organizations run the risk of non-compliance, sanctions, and losing business from their European partners.


GDPR Compliance Checklist

Got customers in Europe?
Your American company may be required by law to comply with GDPR.

Thank You

    How we use your data
    Immediate Access.
    Confidentiality guaranteed.

    GDPR Compliance Checklist

    Got customers in Europe?
    Your American company may be required by law to comply with GDPR.

    Thank You

      How we use your data
      Immediate Access.
      Confidentiality guaranteed.