It’s been almost a year since we received large amounts of emails informing us of updates to companies’ privacy policies. On May 25, 2018 the General Data Protection Regulation (GDPR) came into effect.
The cost of non-compliance, with this extraterritorial regulation, for those entities which process EU citizen personal information, is still as high as the day the GDPR came into effect. You may have read numerous articles stating that such entities would need to make drastic changes to ensure compliance with GDPR – but left you unsure of how and if the GDPR applies to your organisation. And if so, how to comply with it.
The GDPR is applicable to any personal information processing activities performed by a controller (also known as the entity that collects and makes decisions based on personal information) which is established in the EU.
GDPR further applies to all processing of personal information of data subjects residing in the EU, even if the entity processing the information is not in the EU. A non-EU entity that is not sure about the applicability of the GDPR can ask these questions to establish a clearer view of whether they need to comply with GDPR:
- Does the entity have a local presence (established) in the EU?
- Does the entity offer goods or services to EU citizens?
- Does the entity monitor the behaviour of EU citizens?
- Is the entity a processor for a controller who must comply with this legislation? i.e. are you processing personal information on behalf of an EU entity?
If you answered yes to one or all of the above, it is likely that you need to be compliant with the GDPR or at least certain aspects thereof.
For more information on GDPR or other practical insights on privacy matters that may affect your organisation, contact firstname.lastname@example.org