We’re just a little more than six months away from the European Union’s General Data Protection Regulation (GDPR) going into effect and, according to a recent Veritas survey, 86% of businesses are worried about how the new regulation will impact their business.
I imagine a lot of this concern is tied to questions still swirling around the extent of GDPR’s reach—especially for US businesses.
Today, we embark on a series of blog posts that strive to summarize how each of the GDPR articles may affect your business. While there is no shortage of information on GDPR out there, my hope is these summaries can serve as an additional resource for those who need a quick and easy explanation. From there, organizations will want to work closely with their legal and risk management teams when devising their compliance strategies while looking to further guidance as it is issued by regulatory authorities and the Article 29 Working Party, the advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission.
And so, without further ado, let’s begin…
Article 1: Subject Matter and Objectives
The purpose of Article 1 is to lay out GDPR’s purpose, namely the creation of rules designed to protect the personal data of people residing in the EU. Simple enough, right? Right.
Article 2: Material Scope
Article 2 specifies what kind of data falls under GDPR’s purview—namely, personal data that is processed (“partially or wholly”) by automated means. This does not include data processing that is:
- Not protected by Union law
- Conducted by Union states to support EU objectives (freedom, security, justice, etc.)
- Conducted by everyday people for personal means (like adding friends to contact lists)
- Conducted by law enforcement
The article goes on to explain that even when data is being processed by public Union agencies, it must be done fairly and lawfully.
Article 3: Territorial Scope
Article 3 specifies any organization that processes the personal information of “data subjects” in the EU is bound by GDPR regardless of where the organization is physically located or where the actual data processing takes place.
But who are these data subjects? Citizens? Residents? Both?
This is an example of confusion that might be clarified by the GDPR’s more detailed recitals, which provide deeper context than the main text. In this case, Recital 14 appears to grant GDPR protection to any individual located in the EU whether they’re citizens, residents, business travelers, tourists, etc.
Article 3 further states: If the data processing is related to the 1.) offering of goods or services to EU residents—regardless of whether the residents actually pay for any such goods or services—or the 2.) behavior monitoring of EU residents. So if a US-based company collects data or monitors the activity of people residing in the EU, it is bound by GDPR even if the business doesn’t have any servers or officers located in the EU.
Now, in today’s world of global commerce, you could say anyone with a website is potentially offering goods or services to any global customer, including EU residents, right? Except the GDPR does say the business must demonstrate actual intent (by using local language or currency, for instance) in order to run into any trouble here.
Article 4: Definitions
Article 4 is the one article that can’t be summarized, because it lays out exactly what kind of data, people, businesses, activities, etc. important terms like “personal data” and “processing” extend to. Does personal data protected by the GDPR include facial images? Yes. Are companies that merely store data bound by GDPR? Yes.
You can read the full text here: https://gdpr-info.eu/art-4-gdpr/.
After that, check out how Waterline Data can resolve a key challenge in complying with GDPR by helping you identify and understand everything you need to know about your data, including origin: https://www.waterlinedata.com/gdpr-compliance-solution/.
Next week, we continue the series with GDPR: Chapter 2.