Two Big Reasons Why the GDPR Matters Outside the European Union
If you think the GDPR — a European Union regulation that impacts data management — matters only for companies based in the E.U., think again. The GDPR is truly international in scope. Here’s why.
In case you’ve somehow missed it, the GDPR (that’s short for General Data Protection Regulation) is a regulation designed to protect the personal data of consumers in the European Union.
The GDPR’s requirements are far too lengthy to detail here. But suffice it to say that the regulation imposes significant new rules on the ways in which companies store, manage and transfer data associated with individuals. Going forward, companies will be responsible for making data management systems “private by design” and ensuring that consumers can permanently erase their personal data upon request.
For any company that works with data — which is to say, almost every company today — the GDPR is a big deal. Most existing data management tools and processes were not designed with the GDPR in mind, so businesses will have to assess the way they currently manage data and determine what they need to change in order to become GDPR-compliant.
That is true not just for companies in the European Union, but in many cases, across the world. Although the GDPR is a European Union regulation, its import is truly international. There are two main reasons why this is so.
The GDPR (Potentially) Applies to Any Company that Engages with E.U. Citizens
The first is that is that, according to article 3 of the GDPR, the regulation applies not only to organizations that are based in Europe, but also to those that collect personal data from E.U. citizens who are located within the E.U. — even if the company itself is not in the E.U.
What this means in practice is that if you have, say, a website form that collects the personal information of visitors, and some of the people who fill it out are E.U. citizens who are located in the E.U. at the time that they fill out the form, that data could be subject to GDPR regulation. Similarly, if you partner with an organization that collects data from E.U. citizens, and some of that data is shared with you or otherwise comes under your stewardship, the GDPR might well apply to the data.
There is some nuance to note here. Generally, your business would have to market deliberately to the E.U. citizens in question in order for the data to be subject to GDPR regulation. But there is a fair amount of gray area in defining what deliberate marketing means. And since the GDPR is so new, there is not yet much precedent that clarifies how this dimension of the regulation will be interpreted by courts.
Because of the legal ambiguity and the expansive nature of the regulation in this respect, it’s hard for any business that operates on a large geographic scale — or even just has a website — to avoid collecting data that is subject to the GDPR. You could try a strategy like blocking access to your website to E.U. IP addresses in order to avoid collecting GDPR-regulated data, but that approach is not likely to work well in practice.
A better, safer strategy is to operate as if all personal data that you collect is subject to the GDPR, and treat it accordingly.
The GDPR will Inspire Similar Regulations
The second reason why the GDPR matters outside of the E.U. — and why it is a good idea to start planning for compliance now — is that the regulation may inspire similar frameworks in other jurisdictions in the future.
This is especially true given the spate of recent high-profile blowups related to consumer data privacy in the United States. Revelations that Cambridge Analytica collected personal data about millions of Facebook users without their explicit consent, along with events like the Equifax data breach, have sparked intense scrutiny of the way digital data is managed. They have also spurred discussion in Congress of a “privacy bill of rights” for the United States, which could take its inspiration from the GDPR.
To date, no country has announced plans to implement its own version of the GDPR. But it is not unreasonable to imagine that the GDPR will serve as a model for data privacy regulations in other jurisdictions, which would more comprehensively impact businesses based in those regions. That’s another reason why now is a good time to start bringing your company’s data management practices up to speed with the GDPR.
In short, the GDPR is not just something that European Union companies have to worry about. It has a very real and direct impact on many businesses outside of the E.U., and its significance will likely only increase as other governments look to the GDPR to guide data privacy regulations of their own.
It’s worth noting, too, that there is value in adhering to the GDPR’s requirements even if you are not legally obliged to do so. In many ways, the GDPR encourages data management best practices, and those are never a bad thing. Plus, in an age when consumers are growing increasingly frustrated by what companies are doing with their personal data, making data privacy a priority within your data management strategy certainly can’t be bad for business.
If you want to learn more about GDPR compliance and how Syncsort can help, be sure to read our eBook on Data Quality-Driven GDPR.