Data transcends geographical boundaries, as does the General Data Protection Regulation (GDPR). The law has become a global benchmark for businesses beyond European borders. In addition to the 27 EU member states and countries in the European Economic Area (EEA), GDPR’s reach covers all data processing activities involving the personal data of EU citizens. Find out the scope of GDPR outside the EU in this blog.
How does GDPR impact non-EU businesses?
The GDPR is known for its global applicability. It requires any business collecting European personal data to handle it responsibly, regardless of its location.
Related Reads
GDPR impacts businesses outside the EU in the following ways.
#1 Non-EU businesses offering products or services to EU residents
GDPR brings companies outside Europe within the law’s scope if they offer products or services to data subjects in the union.
Consider an online textile business that operates solely within India but has gained international recognition. Customers worldwide, particularly in Europe, frequently visit its website to purchase products. To enhance the shopping experience, the company offers the option to customise currency selections to reflect those used in different European countries. Given this context, does the company need to be GDPR-compliant?
The example above illustrates how the Indian company enables EU customers to customise the currency according to their preferences, making the shopping experience convenient for them. This indicates the company’s commitment to catering to European consumers.
Thus, companies are considered to be targeting EU data subjects when they demonstrate such intention and must implement GDPR.
In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.
GDPR Recital 23
Here are more ways that demonstrate an intention to offer its products or services to EU data subjects:
- Promotional content in EU-specific languages
- Mentions of EU customers or clients
- Website versions created specifically for EU member states
- Options to choose EU as the location for customised content
- Uses EU-specific cultural references
- Streaming service offering content dubbed in multiple EU-specific languages
Merely being accessible in Europe, like in any other country, doesn’t necessarily imply that there’s an intention to market to those customers.
Example
A Japanese online gaming application is available in both Japanese and English language. All the games in the app resemble traditional Japanese games and are promoted exclusively to Japanese customers. In this context, GDPR may not apply just because it is available in the English language. However, if the application is frequently used by Europeans and hence involves their personal data, GDPR might still apply.
#2 Non-EU businesses Monitoring the behaviour of EU citizens
Monitoring EU citizens typically involves tracking the online activities of individuals and using such information to analyse and predict their behaviour, interests, etc. This is probably how you get music suggestions that suit your taste or advertisements of products that you previously searched about. Though this is convenient for businesses, customers may not prefer being followed around the internet.
Examples of monitoring activities
- A Kentucky-based online retailer sending targeted advertisements and marketing emails to EU customers based on their search history and online activities.
- A Malaysian travel agency promoting tour packages in EU-specific languages to European customers based on their internet searches.
GDPR takes monitoring seriously and requires all websites collecting personal data from Europeans with tracking technologies like cookies to provide cookie banners. These banners allow data subjects to choose whether to allow cookies on their devices.
Not all cookies need consent. Essential/necessary cookies such as the ones used for load balancing can be used without getting user consent.
Related Reads
A survey conducted in 2021 revealed that 61% of website visitors from the UK agreed to cookies and 12% neither agreed nor disagreed with it. This means organisations were still able to use cookies despite the strict requirements, except that this time it was data subject-friendly.
Any website can obtain cookie consent by providing cookie banners when a user visits the website. This way you can use data while maintaining GDPR compliance. Fortunately, this is possible without burning your pocket using a Consent Management Platform (CMP). CookieYes is best at it with 1.5 million+ users and is a certified Google CMP Gold Partner with IAB TCF compliance.
Become cookie-compliant with CookieYes
Fool-proof cookie consent solution for businesses
14-day free trialCancel anytime
#3 Cross-border data transfer with third countries
The GDPR guarantees that the protection it provides remains with the data, even when it is transferred outside the European Union. That is why businesses transferring EU personal data to third countries (non-EU countries) must look for adequacy decisions or have Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) to ensure that the data is protected.
If a country is determined to have adequacy in data protection, data transfers can be made without any additional safeguards. The decision is based on many factors such as how efficient their data protection laws are, privacy rights offered, supervisory authorities, etc. The following are some of the countries recognised as having adequate data protection.
- Argentina
- Andorra
- Canada
- Faroe Islands
- Japan
- New Zealand
- Switzerland
SCCs and BCRs are alternative solutions to the lack of adequacy decision made by the European Commission.
Requirements for non-EU entities
Non-EU companies that fall within the scope of GDPR should implement adequate measures to become compliant with the law.
The following are the key GDPR requirements:
Data minimisation and purpose limitation
Keep the data collection and its usage to the minimum and strictly aligned with the specific purpose of collection. Avoid collecting unnecessary personal data or using it for secondary purposes.
- Conduct data mapping and identify the types of data you collect
- Determine for how long you will retain the data
- Understand data flows
- Keep the database updated
- Remove any unused or unnecessary personal data
- Use data mapping tools if necessary
Have a Lawful basis for processing
Lawful bases are like green cards for data processing and there are six of them- Consent, contract, legal obligation, legitimate interest, public task, and vital interest.
All entities should determine at least one lawful basis to justify their data collection. Out of these, businesses mostly rely on consent and legitimate interest.
- Determine the legal bases for each type of processing
- The legal bases must be identified initially
- Specify it in the privacy policy
- Ensure the consistency of legal bases and avoid repurposing data under a new basis without full legal compliance
- Implement consent mechanisms if consent is the basis
Implement data security
The European data protection law requires businesses to implement adequate security measures to safeguard personal data. These measures must be proportionate to the nature and amount of data that a business handles.
For example, special categories of personal data need heightened security than general personal data. The security should be even greater if you handle a significant amount of special categories of personal data.
- Encrypt personal data
- Implement role-based access controls
- Use multi-factor authentication
- Train employees on data security
- Conduct regular backups
- Have an incident response plan
Honour data subject rights
Non-EU companies must also honour GDPR data subject rights if they come under GDPR’s scope.
Following are the 8 GDPR rights:
- Right to be informed
- Right to access
- Right to restrict
- Right to object
- Right to data portability
- Right to erasure
- Right to rectification
- Rights against automated decision-making
- Have a data subject request mechanism
- The mechanisms should be convenient
- Develop standardised response templates
- Keep the data in a portable format
- Update data inventory regularly to quickly locate data
- Verify the requests
- Fulfill the requests without unnecessary delay
Maintain transparency
The transparency requirements under GDPR are a commitment towards clear communication between data controllers and data subjects. The law mandates that businesses provide information about their data-handling practices to individuals. This can be fulfilled by providing a privacy policy, also known by the names privacy notice, privacy statement, etc.
- Create a GDPR-compliant privacy policy with all the necessary components
- Ensure that the privacy policy is clear and easy to understand
- Use plain language
- Avoid jargon
- Make the policy accessible and conspicuously available
- Leverage efficient privacy policy generators like CookieYes
Need a privacy policy for your website?
Generate a GDPR-compliant privacy policy using CookieYes
No sign-up required
Conduct Data Protection Impact Assessments (DPIAs)
Conduct impact assessments to assess your data processing activities and identify any risks associated with them. This is necessary if you handle high-risk data such as special categories of personal data/sensitive data or data used for profiling.
- Identify high-risk processing activities
- Develop a DPIA framework
- Update the data inventory regularly
- Analyse potential risks and impacts
- Consult privacy professionals
- Identify and document risk mitigation measures
Appoint a Data Protection Officer (DPO) and representative
DPOs are like the compliance architects of a company. They design and oversee the framework to protect personal data. A DPO evaluates whether the data processing is compliant with the GDPR regulations, assesses privacy risks, and also acts as a point of contact between the organisation and Data Protection Authorities (DPAs).
Non-EU companies handling European personal data must also appoint a representative in the EU.
- Assess the need for a DPO
- Define the roles and responsibilities of a DPO
- Provide them with sufficient resources to fulfil their responsibilities
- Select a qualified expert
- Publish the DPO’s contact details to supervisory authorities, employees and individuals
Ensure third-party compliance
GDPR requires data controllers handling EU personal data to have contractual agreements, known as data processing agreements with data processors who process data on their behalf. Such contracts must ensure the compliance of data processors and determine their roles and duties concerning data processing.
Adequacy in Cross border transfer
If you engage in international transfers of personal data within your organisation or outside, you must confirm that such transfers are made with adequate protection. If it is with countries having an adequacy decision, no extra steps may be needed. Otherwise, you may rely on BCC or SCC.
Penalties for non-compliance
Organisations that sidestep GDPR requirements could face substantial financial consequences. GDPR fines for non-compliance can be as high as 20 million euros or 4% of the global annual turnover. The amount mostly depends upon the nature of the data breach, its seriousness, frequency of violations, business size, etc.
In addition to monetary consequences, companies can also face bans on data processing, warnings and reprimands from supervisory authorities.
Key steps for Non-EU businesses to comply with GDPR
If you are a non-EU business and are bound by GDPR’s data privacy requirements, here is a quick checklist for you.
- Understand GDPR and its key criteria and requirements
- Appoint a representative in the EU
- Practice data minimisation and purpose limitation
- Identify legal bases for processing
- Conduct data mapping and keep the data inventory updated
- Provide a clear and conspicuous privacy policy to data subjects
- Implement reasonable data security measures
- Use privacy-compliant CMPs like CookieYes for your online platforms
- Conduct impact assessments
- Establish convenient mechanisms for the data subjects to exercise their GDPR rights
- Ensure adequacy in cross-border transfers
- Appoint a DPO
FAQ on GDPR outside the EU
GDPR applies to US companies if they process EU residents’ personal data, offer them products or services, or monitor their behaviour.
GDPR protects individuals living in the European Union regardless of their nationality.