The 25th May 2018 marks a seminal event for businesses worldwide, with the EU’s General Data Protection Regulation (or GDPR) entering into force following its approval in 2016. From this date onwards, organisations found to be in breach of the GDPR can face steep fines for non-compliance or data breaches.
We’ve covered what the GDPR is and why it’s come into existence in more detail previously on our blog, but in a nutshell: GDPR provides revised rules on data handling and processing for the digital age. It has been created to standardise the way all EU nations – and those who engage in transactions and activities within the EU – deal with personal data, giving greater levels of protection and control to citizens.
Companies found to be in breach of the GDPR, or who fail to report data breaches within 72 hours, may find themselves having to pay extremely hefty fines if caught. Fines will vary based on the severity of the breach or handling/processing error, but the maximum charge companies face will be 4% of their annual global revenue, or €20m – whichever is the higher amount.
But my business isn’t in the EU!
Rather than simply being an EU issue and not something other countries have to worry about, GDPR will have a global impact; it’s not as straightforward as it being limited to EU companies, citizens, and member states. GDPR isn’t about citizenship or where your business is located, it’s about where you trade and where the people you hold information on are. It doesn’t matter where you’re doing the processing, or if the person is not an EU national; if the activity or transaction is the EU, you have to comply.
Due to the globalised, cross-border nature of business these days, GDPR has left many people confused about the limits of the regulation and whether or not it applies to them. Here are four examples that should make it clear when GDPR comes into play, and when it does not:
1. A US marketing manager is in Paris at a conference. Whilst there, she makes a call to another US company to discuss the potential for them to work together. The marketing manager takes down some personal details of the individual she’s talking to, including their name, email address, and mobile phone number, so she can pick up when she’s back in the States. Although the call takes place in France, it is not related to a product or service provided in the EU, so GDPR does not apply.
2. A sales representative from Germany is at a trade show in New York, and realises he’s running low on business cards for an event taking place the following week closer to home. He places an order online with his usual Berlin-based printing firm, and pays for it with his credit card. This transaction takes place whilst the sales rep is physically in the US, but as the service will be delivered in the EU, GDPR applies.
3. An international company, with offices in the EU and US, sends a US sales representative to an event in Chicago. This representative collects contact details for a potential new customer, who is also based in the US. Even though the company has a EU office, since this activity is taking place entirely in the US, GDPR does not apply.
4. A US event application developer receives an order from a new customer in London. This customer will be downloading and using the software in the UK, and provides their billing details and credit card information. GDPR is applicable in this case because the service is being delivered in the EU.
Will the UK have to comply after Brexit?
As we’ve already discussed, it doesn’t matter where your company is based; what matters is where the transaction or activity is taking place. Therefore, if a company is processing data in the UK post-Brexit, and that data pertains to a sale or action that is being carried out in the EU, they will have to comply with GDPR. Many UK companies will have customers internationally, and it’s their EU-based users whose data they’ll have to take care with.
However, even after Brexit is finalised and the UK are no longer an EU member state, it’s likely that there will still be regulations regarding the processing of data that apply in order to protect citizens. This may take the form of the 2017 Data Protection Bill, which, like the GDPR, was designed as an update to the previous Data Protection Act and covers the processing of information in the digital age. As it compliments the GDPR, there should be very few differences between the two regulations, which will hopefully present less of a headache to companies outside of the EU and UK who find themselves trading with customers from both regions.
Is your company compliant?
If you’re a non-EU company operating within the EU or dealing with EU customers, it’s very likely that you’ll need to take measures to ensure you’re ticking the right boxes. Mistakes and oversights can be very costly, so it may be wise to seek further advice if you’re unsure if GDPR applies to you, or consider taking on a Data Protection Officer if you handle large amounts of data.
Many businesses are worried about the impact of the GDPR and the amount of effort it will take to become compliant (hence why the EU Parliament allowed a two-year transition period), but there’s a positive side too: businesses around the world are set to save roughly €2.3bn a year because having a standardised set of regulations across the EU makes it possible to have a ‘one size fits all approach’ when it comes to dealing with customers and companies in the EU, rather than needing to adhere to multiple, often contradictory, regulations.
If events are a key part of your sales and marketing strategy, it’s especially important that you familiarise yourself with the ins and outs of this regulation. Events are highly prone to data collection mistakes that could potentially cost companies millions under the new regulations, which is why it’s vital to ensure that you’re toeing the line. Particularly at risk are companies that attend events in the EU once or twice a year – chances are that the data collection methods you used last year could see you fall foul of GDPR requirements from now on.