GDPR significantly broadens the scope of data privacy requirements: are you in, or out?

The European Data Privacy Directive (Directive 95/46/EC of the European Parliament), is still the data privacy law in effect today in the European Union. This year, its replacement, the General Data Protection Regulation was adopted and will come into effect in 2018. GDPR will significantly broaden the scope of the data privacy requirements both regarding personas and territory.

The scope of EU data privacy regulation today

Personas

Currently, there are two types of personas involved in data privacy:

  • “Controllers” – those entities who determine the purpose and the means of processing of personal information;
  • “Processors” – those entities who do the actual processing of data on behalf of the controllers.

With the current Data Privacy Directive, the compliance responsibility is held by the controllers while processors only need to comply with whatever contract provisions the controllers have laid in place. For example, processors do not have to issue a data breach notification unless so requested by the controllers. This situation leaves room for interpretation and weakens data privacy as processors do not tend to invest time and resources into complying.

Territory

Currently, the European Data privacy regulation only applies to entities in the EU and does not apply to entities outside the EU even if they process private information belonging to EU citizens.

What will change with GDPR?

Personas

The controller – processor system remains in place with GDPR, but the requirements vary drastically. Along with stronger requirements for controllers, GDPR will enforce requirements on processors as well. Thus, processors are directly required to

  • provide accountability;
  • deliver data breach notifications;
  • be responsible for securing the data they process;
  • pay fines for noncompliance.

The direct consequence of the scope extension brought in by GDPR is the fact that many businesses previously outside the scope of data privacy regulations will fall under their scope. Retailers, online retailers, analytics companies, marketing companies, advertising companies will need to comply with GDPR.

Territory

Perhaps the most important change is the territorial extension of the scope of EU data protection regulations. While before entities outside the EU did not have to bother with the EU Data Privacy Regulation, with GDPR, entities who process private information of EU citizens must also comply even if they are based outside the EU. Hence it no longer matters where the processing takes place as long as the data belongs to EU citizens. This fact massively affects the scope of GDPR because:

  • Large companies worldwide would need to assess if they need to comply (process data of EU citizens)
  • Debating over where data is processed as part of a court trial is no longer necessary;
  • Use of subsidiaries and subcontractors to avoid compliance will no longer be possible.

A relevant example:

A local authority subcontracts an IT company to deliver cloud-based storage and data management services. In this case the local authority has control over what data is being sent to the cloud and for what purpose, making it the controller. The IT company is the processor as it only manipulates the data without having any control over its contents.

With the current EU Data Protection Directive, the local authority must comply with the requirements, but not the IT company holding the data. Hence, the IT company is not required to implement the necessary security measures which means that the data is actually at risk.

With GDPR, both the local authority and the IT company will have to comply with data protection requirements, thus significantly increasing the levels of data protection and responsibility.

Conclusion

The new GDPR scope removes ambiguities regarding how to apply the regulation depending on where the data is being processed and makes data privacy a concern for everyone processing personal information of EU citizens irrespective of who they are. Thus companies outside EU who have EU clients will need to revisit their processes and plan for compliance. Assessing if the company has EU clients is a process in itself which must be carried out. Companies outside the EU who have EU subsidiaries that act as processors will also need to plan for GDPR compliance. With the increasing adoption of online payment methods and the significant increase of e-commerce, the number of processors increases year by year. Since processors will have responsibilities and will need to comply, the number of companies under the scope of GDPR will increase drastically, compared to the number of businesses under the scope of the EU Data Protection Directive today.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.