The General Data Protection Regulation (GDPR) is a globally applicable data privacy law that protects consumers in European Union (EU) countries. Every business or organization in the world that markets to or processes data about people in the EU must comply with the GDPR or face severe fines.
This article will discuss the territorial scope of the regulation. We will include detailed examples to help you understand the GDPR and its reach, whether it applies to your business, and, if so, how to comply with its general requirements.
The GDPR is a worldwide privacy law that provides data security and behavior monitoring protection for consumers in the EU. Every commercial enterprise or organization located anywhere in the world that processes the personal data of consumers in the EU or monitors their behavior must comply with the GDPR.
Since fines for non-compliance with the GDPR can be drastic, it is important for you to know whether or not GDPR requirements apply to your business.
The GDPR applies to all businesses and organizations located in any country in the world that processes personal data and/or monitors the behavior of people in the EU, or provides them free or paid goods or services.
As Access Tufts at Tufts University asserts, even though the United Kingdom (UK) became separate from the EU in 2021, and the European Economic Area (EEA) GDPR no longer applies there, the UK GDPR does.
So just like personal data processing businesses or commercial organizations anywhere else in the world, the UK must still comply with all GDPR requirements if their data processing includes business activities established in an EU member country.
Businesses and commercial enterprises with no branches, divisions, or company ties to any EU countries must still comply with the GDPR if they either provide goods or services to the EU or monitor the behavior of EU residents.
As the Trade Commissioner of the Government of Canada informs:
"The GDPR applies to all companies handling the personal data of EU residents."
If you are monitoring the behavior of residents of any EU country, whether directly - such as tracking sales or subscriptions through a name and shipping address - or indirectly through cookies that collect IP address information or track which web pages site visitors linger on, your business must comply with the GDPR.
If your target audience does not include people from the EU, but your customers travel to the EU and use your product or service there, the GDPR does not apply to your company.
Remember that if you handle any kind of data from residents of the EU then you are required to comply with the GDPR. If your organization directly or indirectly does not process data from EU residents, then you are not required to follow the GDPR.
It should also be noted that individuals processing information purely for individual private use - such as gathering names and contact information of EU residents such as family located in the EU for an upcoming reunion - are not required to comply with the GDPR.
Since the GDPR is global in scope, it overrides your nation's data privacy and security laws where EU residents are involved, no matter your continent and country. Looking at how continental privacy laws and world trade regulations work within the worldwide applicability of the GDPR can add deeper context in answering the question, "Who does the GDPR apply to?":
Brian Daigle of the Journal of International Commerce and Economics, published by the United States International Trade Commission, notes that at least 20 African countries still have no data protection laws but are subject to compliance with the GDPR.
He adds that most of Africa's existing data protection laws likely stem from "...the EU Data Protection Directive, which preceded GDPR."
Europe is a major trading partner with the Association of Southeast Asian Nations (ASEAN). Some Asian countries, such as Malaysia, still do not currently have mandatory data protection laws, and privacy laws in other parts of the continent may be mild. Yet the strict GDPR laws are well-followed in Asia, as Financier Worldwide reveals.
The Australian Government Productivity Commission points out that the GDPR focus on consumer privacy protection for EU residents has influenced data security laws in Australia. Assets such as health records are better protected under strict laws to provide Australians with added security.
The European Commission reported that after two years of the GDPR's enactment in the EU, the GDPR could be called an "overall success" due to its facilitation of:
"...safe data flows, to the benefit of citizens and businesses alike."
The report also mentioned the need to keep up with international technology and keep future legislation in privacy regulations consistent across the EU.
Philip Higginbotham of Business Chief reminds North American businesspeople to avoid potential heavy fines for GDPR non-compliance by looking at their non-obvious sources of EU involvement - such as in supply chain software.
He also reminds companies that processed personal data does not have to include a name but can be a photo or a social media post.
Financier Worldwide notes that the 2018 enactment of the GDPR saw increased data privacy and cyber security regulations throughout Latin America - especially "countries such as Brazil, Chile, Argentina, and Columbia."
The GDPR creates strict standards for businesses around the world that process or monitor the personal information of EU consumers, and holds high penalties for non-compliance.
When determining if the GDPR applies to you, ask whether your business processes data from people in the EU, or targets such individuals.
The GDPR applies to businesses that are either located in the EU, or direct business activities towards the EU.
Remember to consider non-direct targeting possibilities, so if your website does track visitors from EU countries, the GDPR may apply to you.
For more clarification on which businesses have to comply with the GDPR and which do not, here is a deeper look at specific businesses in different world locales.
The U.S. Nebraska-based plant nursery company, NatureHills.com, sells a wide range of trees, shrubs, and flowers online. This business only sells to buyers in the contiguous United States with all of its products organized by U.S. growing zones, so it is not GDPR applicable.
Moving now to a European-based business, Europe Translations is a European languages translation company located in Belgium. As its website clearly shows, it is GDPR applicable as it targets EU clients.
For instance, its web pages market the company's services in languages such as Spanish, German, and Portuguese.
The U.S. California-based clothing company, Fashion Nova, ships products worldwide and mentions specific shipping rates, times, and options for the EU, so it is GDPR applicable:
Based in Canada, Knitty.com accepts site users' donated knitting patterns electronically and offers free patterns by download. It does collect email addresses and has a worldwide reach.
Knitty acknowledges that it is GDPR applicable through this text directed to EU residents and their rights in its Privacy Policy:
AEC Parcel Service ships parcels from the United States and Canada to 31 countries and, of course, in providing that service, handles personal information such as sender names, addresses, and payment details.
The AEC website shows that they target shipping customers for 25 of the 27 EU countries (excluding Cyprus and Malta):
If you have discovered that your business activities involving people in the EU require compliance with GDPR regulations, you will need to pay attention to following these main regulatory aspects.
There are GDPR-permitted reasons for processing personal data. Unless you can prove that you are processing data under one of these circumstances, you risk penalization under the GDPR if you collect, store, or sell someone's information.
The GDPR advises that both technical and organizational measures should be taken to offer the maximum protection and security of personal data. Be sure to enact all security and protection safeguards you can and only give access to staff or others who need the data.
Of course, the privacy rights of EU citizens are at the very crux of the GDPR, and workers in your business who handle that personal information must be aware of the full scope of those rights.
Under the GDPR, your company must always make clear consent forms or boxes for the EU consumer.
Keeping documented evidence of all consent, can help your business stay GDPR compliant.
If GDPR compliance is needed by your business, you will have to ensure that the staff and/or any third parties who handle EU data processing follow GDPR requirements. Data collection, processing, and storage processes must all be documented so that your company can prove GDPR compliance.
In creating actionable steps to ensure your business complies with GDPR regulations, make sure you create company procedures and policies that cover the aforementioned areas. To sum up, these are:
The GDPR is global in its scope and strict in its enforcement. It protects the data privacy and cyber security of EU residents and also allows them rights in decision-making about how their personal information is processed.
If yours is a company that either directly targets the EU market or monitors its personal information either directly or indirectly, you must comply with GDPR regulations or face severe fines.
Here is an overview of key points to keep in mind about GDPR applicability: