GDPR disregards national borders and boundaries. No matter where you're located, if you're processing the personal data of EU citizens you'll have to comply.
Here's a quick guide setting out key geographical considerations. It's impossible to cover off every scenario but this provides a flavour of what you need to be thinking about.
Remember it's not just about where you're based, it's about the geography of the data you are processing.
Q Who will be my National Data Protection Authority (NDPA)?
A Businesses processing data in multiple EU countries can choose to be subject to one NDPA (a "one-stop shop"). If you are a Europe-based data company who will be processing relevant personal data you must identify the NPDA or Authorities to whom you will be answerable in connection with data protection issues.
For businesses located within a single European jurisdiction this will be straightforward, as it will almost certainly be the same NDPA entity which has historically been regulating you (in England, for example, this is the ICO).
If, however, your operations are spread across Europe, careful thought needs to be given as to whether it will be more convenient to have a standardised data protection approach across the whole region, and if so, which jurisdiction to select for these purposes.
If you are a business based outside of Europe you will also need to select a relevant NDPA to whose jurisdiction you will be subject.
Despite the harmonising effect of the GDPR, there are still likely to be jurisdictional differences. Some countries have already implemented domestic legislation which is at least as stringent as the GDPR (for example, in Holland, breach notifications are already mandatory). Other countries, such as the UK, have indicated an intention to exercise derogations from the GDPR. Selecting the appropriate regime particularly for UK businesses which after Brexit will technically sit outside of the EU, but who nevertheless may have a substantial customer base within Europe - requires a considered approach.
Q What about data we process outside of the EU?
A Currently, the only countries which the European Union considers offer adequate protection of personal data in line with GDPR are Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, United States (although the US Privacy Shield programme is likely to be revisited once GDPR comes into force) and Uruguay.
Countries such as India, South Africa and Australia, where significant off-shoring of work currently takes place, are not on the list at all.
Now is therefore a good time for businesses to scrutinise the other jurisdictions with which you share data. You need to consider how to deal with your data processed in countries with `inadequate protection', particularly in the context of potential notifiable breaches.
Q We're just in the UK, do we need to address cross border data issues?
A It's important to bear in mind that even a business which operates exclusively in the UK, with customers in the UK, can still be caught out by the prohibition on unauthorised transfers of data to unapproved jurisdictions.
This can be anything from an executive taking a laptop with electronic customer files on it on a business trip elsewhere in the world, through to a cloud service which is ostensibly UK based but which (for the purposes of redundancy or disaster recovery) mirrors its services in the US or further afield, replicating all of the business's customer data in those other jurisdictions.
So, what do we do now?
- Review your current and future business operations and assess where GDPR affects your data processing
- Identify your NDPA(s)
- Make sure you're up to speed with the relevant NDPA's guidelines