GDPR is the General Data Protection Regulation approved and adopted by the EU Parliament on 27 April 2016, which is due to come into force on 25 May 2018. After this date, the current data protection legislation in the EU will be replaced by the GDPR, which will give the individual choice and control over how her/his data is used. The GDPR will also affect the export of personal data outside of the EU.
The European Union is the name used to identify the political and economic union of 28 states mainly located in Europe. To date, the member states of the EU are: Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxemburg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom.
The main aim of the GDPR is to enable EU citizens to better control their personal data with an emphasis on transparency and accountability. With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations, and to individuals.
As far as the UK is concerned, leaving the EU won’t stop compliance requirements. Businesses outside the EU will still have to comply with EU regulations to manage EU citizens’ data, and this includes US companies.
Overseas transfers of EU data
Data transfer within the EU is allowed, and Personal Data transfers can be made to the US from the EU under the Privacy Shield. Canada is one of the countries granted adequacy status as long as a data security is in place.
The current Model Contract Clauses is the best solution if receiving data from several EU-based organisations. A global group with operations in the EU can have its own in-house data protection policies, but it needs to be approved by the European Supervisory Authorities which can take up to 2 years.
Handling cross-border campaigns
Organisations operating in more than two EU countries can appoint a Supervisory Authority as their lead authority which would have to be in the country where marketing activities are headquartered.
Under the one-stop shop agreement, an organisation with offices in two or more European countries can appoint a Supervisory Authority as its lead authority.
For example, the Information Commissioner’s Office (ICO) will be the regulatory office for businesses headquartered in the UK, and that is where its main marketing activities take place.
The GDPR will also apply to businesses which are not based in Europe. As the regulation has not come into force yet, it is hard to predict the extent to which it will affect businesses outside of the EU, and how the legislation is going to be enforced on them.
As Phil Gorski from Black Solicitors points out, companies will be taking commercial decisions based on whether their business is based upon them meeting the GDPR standards; if it is, the same businesses will have to make sure that they fully comply. If you are doing a lot of business with Europe, then you will not be exempt from the GDPR, and this is part of the reason why the UK will still be subject to it after Brexit. You can watch the full interview with Phil Gorski here.
Once the GDPR comes into force, the potential maximum penalty will be considerably higher, and checks will be carried out to make sure that businesses comply with the new legislation in full. People are likely to become more and more aware about their data, and businesses should be ready for when that time comes. After all, GDPR enforcement is just a few months away!