Whose rights are protected by the European Union’s General Data Protection Regulation (GDPR)?
It’s an important question. With an accurate answer, your business can better assess its obligations to the regulation and define the scope of its compliance initiative. Consider this: In a survey performed by Cybersecurity Insiders, 71% of respondents indicated that running assessments – essentially making an inventory of user data and mapping the data to protected GDPR categories – is a top priority of their compliance initiative. Determining whose customer data is protected is a foundation of these assessments.
Despite its significance, many companies are still trying to find the answer to this question. In every workshop I attended during the recent Canada Privacy Symposium hosted by the International Association of Privacy Professionals (IAPP), conference-goers asked several variations of this question. Examples include:
- Do we need to comply with the GDPR if we don’t sell products or services in Europe?
- How does the GDPR impact companies outside the EU?
- We’re a B2B business. Are we beholden to GDPR requirements?
The overwhelming number of these questions shocked me. The symposium coincided with the GDPR’s enforcement deadline of May 25, 2018. Put simply: businesses were still asking this fundamental question about GDPR compliance on the day the regulation went into effect. Under GDPR enforcement, misunderstanding this key point can expose you to customer complaints and unwanted scrutiny from data protection authorities that could result in severe fines and class action lawsuits.
What’s the correct answer? Let’s explore some of the most up-to-date guidance on the subject, then play a little game that will dispel some of the most common myths about the individuals protected by the GDPR.
A Data Subject Is More than an EU Citizen
It’s easy to see why companies are confused about this basic tenet of the GDPR. On the surface, “EU citizen” or “EU customer” seems to make sense.
According to the European Commission’s website: “The EU Charter of Fundamental Rights stipulates that EU citizens have the right to protection of their personal data.” The GDPR, the page goes on to say, is the legislation that enforces this right.
Unfortunately, the answer is much more nuanced.
- What is the definition of an “an EU citizen” under GDPR?
- What about someone living in the EU who is not an EU citizen?
- What about an EU citizen living abroad?
The regulation’s nearly 300 pages of requirements don’t offer much clarity at first. In fact, they use the phrase “data subject” as opposed to “individual”. This robotic definition creates even more of an identity crisis.
GDPR Recital 14 gets to the heart of the issue:
“The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
According to GDPR Article 4, processing personal data is defined as:
“…any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction means any act of storing, analyzing or using the data.”
This means the GDPR covers anyone in the world whose personal data is processed by companies in the EU. If personal data from anywhere around the world is processed by an EU-based organization, the rights of those non-EU residents, citizens or nationals are protected just by the virtue of data being processed on EU soil.
It also covers any individual in the EU – regardless of nationality – who has their personal data processed by a company anywhere on the globe. It could be someone on holiday in the EU or even someone travelling through the EU en route to another region.
These applicability rules widen the scope of who is protected by GDPR.
Data Collectors versus Data Processors
Another common question at the IAPP symposium and in webinars we’ve hosted in the buildup to GDPR enforcement goes like this:
“I’m a data processor, not a data controller. Does the GDPR apply to me?”
Data collectors determine the means and the purpose of the data collection and processing. Under the GDPR, they are the principal party with the responsibility to provide the rights required by the regulation.
Data processors collect and process data on behalf of the data controllers. Unlike previous regulations, the GDPR introduces direct obligations for data processors and makes them subject to penalties and civil claims if they’re found to be out of compliance.
While the different obligations for controllers and processors are beyond the scope of this post, the key point is this: The GDPR holds both parties accountable for meeting its requirements.
Covered or Not?
Here’s a quick quiz that shows the broad scope of GDPR coverage.
1) Jackie is a resident of Erie, Pennsylvania. She’s on a trip to Paris, France, when she notices a TV commercial for perfume. She goes online, purchases a bottle from the French company and has it sent directly to her home.
Even though Jackie is an American, the GDPR covers her because she’s “an individual in the EU” at the time her data was collected and processed.
2) Brenda is an American who signs up for a newsletter on Italiancuisine.com, a U.S. company whose third-party email service provider (ESP) is based in Italy.
Despite being a U.S. company, Italiancuisine.com is beholden to the GDPR because it is the data controller and its processing activities take place in the EU. The third-party ESP is also accountable under the GDPR as a data processor.
3) Sam is a resident of London, England, who is an expat in San Francisco, California. He purchases trousers from his favorite store in New York and his data is in also stored in the U.S.
The online retailer in New York does not have to worry about GDPR compliance for this customer because, even if he was once an EU resident, he was physically located in the United States when he registered online and purchased the trousers.
Sorting Out GDPR Applicability
There are many more conditions in the GDPR that determine its applicability to your business. To make an informed determination, seek legal advice on the:
- Current data stored in your systems
- Types of data sets covered by the regulation
- Various points of consent collection across your organization
- Regions you serve
- Digital properties you offer
Still, here’s a good general rule of thumb:
If you serve customers anywhere in the world, you should always maintain proof of their consent which clearly spells out how, when, where and why you collect and process their personal data.
To learn how to balance data privacy and effective personalization, check out our upcoming webinar with independent research firm Forrester.
By Natalie Monetta