GDPR outside of the EU/UK
Simon Hinks explains what businesses beyond Europe need to be doing in regards to the General Data Protection Regulation
Over the past couple of weeks, I’ve discovered that many businesses outside of Europe have very little knowledge of the impact of GDPR on their global markets. So, I thought this week we look at what those businesses abroad should be doing if they are selling products and services to EU citizens and companies.
Processing in the context of the activities of a European establishment
GDPR makes it clear that the processing of personal data in the context of the activities of an establishment in the EU will be caught by the law regardless of whether the processing takes place inside or outside the EU. This will impact corporate groups that have operations in both Europe and outside of Europe. The data subjects do not need to be resident in the EU for this provision to apply.
Offering goods or services to EU-based data subjects
By way of example, a Dubai hotel operator promoting offers to European businesses and taking bookings in Euros via its website would almost certainly be deemed to be offering its products to EU data subjects. The GDPR would apply to its processing of personal data (including names, addresses and payment details) of European visitors.
Monitoring the behaviour of EU-based data subjects
Appointment of a representative
Any business outside the EU must appoint a representative in the EU for the purposes of the GDPR. Such a representative should act on behalf of the non-EU entity and may be addressed by any European supervisory authority.
The representative must be located in one of the European countries of the individuals who are offered products or subject to behavioural monitoring.
Next steps for organisations outside of Europe
All organisations outside of Europe with any connection to Europe – whether through customers, affiliates or business partners – should be considering the potential impact of the GDPR. Other businesses outside of Europe could adopt a level of self-regulation where customer demand or organisational requirements mean that the GDPR is adopted as the de facto standard for data processing around the world.
Knowing what the GDPR demands are is one thing. But knowing what to do next is crucial. Download our free 40 page, detailed and practical guide for B2B marketers to find out.