The General Data Protection Regulation (‘GDPR’) is, perhaps, the most important piece of law for any international enterprise that ‘carries on business’ in the European Union. In this article, we set out the key elements of GDPR compliance for any enterprise operating in the global marketplace.
We start with the definition of personal data before explaining the obligations of data controllers and processors – the key roles that your business might be performing under the GDPR. We finish by explaining the rules for transferring personal data overseas (such as to an overseas branch of your own enterprise).
The Definition of Personal Data
The focus of the GDPR is personal data, and how it is controlled and processed. Take a look at the definition of personal data in article 4(1) of the GDPR (all subsequent references to the GDPR):
There is no complete list of the types of information that might be classed as personal data under the GDPR. However, the definition covers a broad range of information including:
The individual whose data is held is known as the ‘data subject’.
It’s important to recognize that context determines whether a given piece of data personally identifies an individual. For example, a very common name such as ‘John Smith’, may not, in itself be enough to constitute personal data, as it (potentially) couldn’t be used to identify anyone.
The GDPR applies to any organization which processes personal data as part of its activities in the EU, or which offers goods or services, or monitors the behavior of EU individuals. Non-compliance can result in substantial fines (up to €10 million euros or 2 percent of global turnover).
Other countries are starting to model their own data protection laws on the GDPR, such as Brazil’s new data protection law, or China’s new Personal Information Protection Law (PIPL). Read more about the similarities and differences between the GDPR and Brazil’s approach in What is Brazil’s LGPD? Four Differences from the GDPR.
Article 5 sets out the key principles that apply to protecting and processing personal data. This article provides that personal information must be:
Article 6 sets out in detail when the processing of personal data is permitted (the ‘lawfulness of processing’). It is permitted in a range of situations, including where:
If the data is ‘sensitive’ personal data (such as ethnic origins or political opinions), there are special rules that apply to its processing.
Rights of the Data Subject
The GDPR provides individuals with a range of rights with respect to their personal data. These rights in turn correspond with obligations for data controllers and processors.
The rights for individuals within the GDPR include:
Who do the GDPR Obligations Apply to?
The principles themselves only have legal significance by placing obligations and allowing rights for certain individuals. So, who do these principles apply to?
The obligations apply to two key roles: The ‘controller’ and the ‘processor. The controller is the person (which could be a company or a natural person) that determines, whether alone or with others, the purposes and means of processing personal data. The controller has overall ‘control’ of the use and processing of personal data within the organization.
By contrast, the ‘processor’ is the person or organization that actually processes the data. Of course, the controller and the processor could be (and often are) the same organization or company.
The data controller must put in place:
The controller must also ensure that any processor of the data has sufficient measures in place to protect the data.
Not only is the controller responsible for compliance with these requirements, they must be able to demonstrate their compliance (see article 5(2)).
What Are the Obligations of the Processor?
The data processor must:
How Does Data Transfer Overseas Work?
For international enterprises, transferring personal information across borders is often a necessity. However, the GDPR has clear rules specifying when an organization can transfer personal data overseas.
Article 44 spells out the general principle underlying international transfers of personal data. In short, transfer of personal data to third countries (i.e., outside the EU), shall take place only if one of the mechanisms set out in the GDPR are complied with. The key mechanisms (see article 46) are:
There are limited exceptions where even if one of these grounds do not exist, data can be transferred. For example, where the individual explicitly consents in spite being informed of the possible risks, or the transfer is required for proving or defending legal claims (article 49).
What Does the GDPR Mean for International Enterprises?
In order to ensure compliance with the GDPR, it is recommended that international enterprises consider the following questions:
We recommend that any organization that may potentially be covered by the GDPR seek professional advice on how they can comply with that regulation throughout their international expansion.
The GDPR is a wide-ranging data protection law that may apply to any business that has dealings with individuals in the EU. International enterprises need to consider how the definition of personal data, the roles and responsibilities of controllers and processors, and the international transfer rules might apply to them.
International enterprises need to also consider the implications of other data protection laws (such as the California Consumer Privacy Act for any enterprise doing business in California), many of which are inspired by provisions contained in the GDPR.
To find out more about how your business can ensure compliance with the GDPR check out What is a Data Protection Plan?
Horizons are international compliance specialists who, via their Europe Professional Employer Organization (Europe PEO) can advise on the best mechanisms for complying with the GDPR, and any other data protection obligations you may have in your international enterprise.
Frequently Asked Questions
GDPR stands for “General Data Protection Regulation”. It is an EU-wide law applying to the control and processing of personal data. Similar laws have also been voluntarily adopted in other countries.
Yes, where those companies operate in the EU or deal with data subjects based in the EU.