GDPR and Non-EU Companies – Extra Responsibilities?
It is now accepted wisdom that many (some say most) EU-based companies will struggle to be ready for the General Data Protection Regulation (GDPR) in May next year. The obligations under GDPR are proving a stretch for many of those businesses and, even though many of the obligations are similar to those under the previous EU Directive on personal data protection, the eye-watering potential fines (up to the greater of €20m or 4% global turnover) are causing a fair amount of concern among those companies in the EU which control or process the data of individuals. The result has been the EU business community looking inwards at what it can do to meet these requirements.
Polls have frequently identified that a large number of companies in the EU are not even aware of GDPR, never mind being ready for it. I’ve found this myself – in talking to people in the business community, a worrying number of relatively senior business people who are either not aware of GDPR or mistakenly believe it brings little risk for them.
But how many companies outside the EU are aware of the risks of GDPR?
It is clear: GDPR affects any business which holds the data of persons in the EU, regardless of where the business is based globally. Those organisations outside the EU watching Europeans run around in a panic about the new rules might want to take a moment and consider whether they also run a risk of punishment under the GDPR. GDPR affects you if you sell, or propose to sell, to customers in the EU.
Yes – your non-EU company can face a fine of €20m (or more) for failing to meet the requirements of GDPR.
I’ll give you a moment to let that sink in, because it is a worrying situation which many non-EU companies are likely to be unaware of. The inward-focus of Europe means that little attention has been given to warning the rest of the world about the obligations they will face under the GDPR regime. A typical reaction to discovering this can be: “But the EU has no jurisdiction over my company” or, for those of a more argumentative nature, “I’d like to see them try!”
For an example of how courts in the EU enforce data protection laws overseas, I would point anyone to the WhatsApp case brought in the Netherlands in 2016 under their pre-GDPR legislation. WhatsApp were fined €1m – and note that this was for a simple failure to have representation in the Netherlands, not for losing or handling incorrectly the data of their customers.
The European Union deems the protection of its citizens as its top priority. In a time of global data sharing and increasing risk of data breaches, they have decided that there is little point in just protecting their citizens inside the EU when those citizens’ data is likely to be held by many companies outside of that area. The result is the EU setting the GDPR standard for the protection of its citizens’ data; if you want to do business in the EU, you need to comply.
Many non-EU companies are aware of the GDPR obligations and have either put in place measures to meet their obligations or are planning to do so. However, for the most part they will be basing their efforts on the advice being provided to EU companies by EU companies or regulators (and there is plenty of advice available; free and paid, good and bad).
What that fails to take into account is one key obligation which applies only to companies outside of the EU – the need under Article 27 of GDPR to have a Data Protection Representative in the EU. The purpose of this appointment is to ensure EU citizens have access to the companies holding their data; the Representative is an alternate point of contact for the company outside the EU, ensuring that individuals (and EU-based data protection authorities) can obtain sufficient responses to the requests which GDPR permits them to make. If you have an office in the EU you may be covered (although some commentators believe that representation may be required in each EU country where you sell) but, if not, you will need to have an EU-based Data Protection Representative, and failure to do so can result in a fine at the “lower” level under GDPR – the greater of €10m or 2% global turnover.
Put simply – if you sell in the EU but have no base there, you are likely to need a Data Protection Representative.
There are limited exclusions (government entities, retaining data for national security purposes), but this is the general position you should assume applies to your non-EU business.
While many companies are shrinking from the risk which is associated with this role, DPR Group is standing forward to meet this requirement for our non-EU clients. We can be the appointed Data Protection Representative for our clients, and we have contact addresses across all 28 EU countries to ensure our clients’ customers are able to access them with their data requests. If you haven’t yet appointed a Data Protection Representative, or if you have any questions on this or other GDPR obligations, please refer to our website at dpr.eu.com, or contact us at email@example.com.
Original image courtesy of Claudio Toledo