The General Data Protection Regulation (GDPR) was recently adopted in the European Union but has far-reaching consequences for businesses operating around the world. The GDPR was crafted and adopted with the intention of creating a durable body of regulations that protect what personal data can be collected from individuals in the EU, how that data is processed, transmitted, and stored. The rollout of the GDPR has confused many businesses that are based outside of the European Union, who may not realize that they fall under the jurisdictional scope of the GDPR. Also confusing is the structure of the regulation, which has been crafted to adhere to standards consistent with the Court Justice of the European Union. In this article, well work to bring some clarity to the discussion regarding the GDPR. In particular, well outline the basics of what the GDPR is, who is covered by it, and whether your company should consider outsourcing your efforts to achieve GDPR compliance.
If you are confused about the GDPR and its impact on your business operations, you arent alone. Much of the confusion surrounding the GDPR is a result of the complexity of the document itself. The GDPR is a massive document that is structured and written in such a way so as to serve as a legally enforceable regulatory structure. Because of this complexity many companies arent sure what the scope of the GDPR is and whether they are considered covered under the regulatory umbrella of the GDPR. We will explore the scope of the document as both a way to offer information for companies wondering whether they must comply with the GDPR, but also illustrate the complexity of navigating the document yourself.
Before diving further into the scope of the GDPR, it is first useful to discuss the two primary components of the document: Recitals and Articles. Many media outlets and companies have focused primarily on the Articles contained in the GDPR, as these constitute the actual binding requirements that companies must meet in order to be considered compliant. That being said, the Recitals found in the document provide context and greater depth of meaning to the Articles. Thus, both the Recitals and Articles are inexorably bound and must be taken together in order to understand the scope, reach, and intention of the GDPR. To understand why the GDPR is so daunting to so many people, first consider that the document contains 99 Articles and 173 Recitals spread across 261 pages. Each of these Articles or Recitals are themselves complex, and must be grappled with and worked through to be fully understood. For those interested in getting into the meat of the GDPR as a whole, the full text can be found here.
The best way to understand the importance of Recitals in the GDPR is to spend some time diving into some of the most significant gdpr recitals and their corresponding Articles. A helpful resource for this can be found here, which provides a browsable version of the GDPR with associated Recitals and Articles readable at the same time. This type of resource is useful because of the format of the GDPR itself. The raw text of the GDPR begins with the Recitals, which can be identified by the leading statement Whereas. However, the text doesnt indicate the specific Articles that the Recitals correspond to. Thus, one must read through the entire document to begin seeing the connections between Recitals and the Articles they are intended to inform.
Understanding the Scope of the GDPR
One of the first things many companies want to know is whether they should be considered bound by the provisions set forth in the GDPR and must therefore maintain compliance with the regulation. Examining the scope of the GDPR is also a useful avenue for exploring the relationship between Recitals and Articles, and illustrates the need to carefully break down both the Articles and their related Recitals for any questions you may have regarding the GDPR.
Although many multinational corporations with a strong presence in the European Union have been moving towards compliance for at least a year, many smaller businesses operating outside of the European Union may not see why a regulatory document crafted outside of their country of operations would bind them. For example, a small business with a web presence operating out of the United States may only have a vague notion of the GDPR and may not understand that their data processing must be compliant with GDPR regulations.
The GDPR has a very broad scope, in both what it requires and who must be compliant with it. The penalties for non-compliance are extremely hefty. The top-tier penalty for infringement is 4% of the global annual revenue of the company for the previous financial year, or 20,000,000 EUR, whichever is higher. This staggering penalty is enough to cripple even the largest companies. This alone should serve as encouragement for companies to maintain compliance with the GDPR. The first step towards becoming compliant is figuring out whether you are covered under the regulation, which can be confusing. In order to determine this, lets take a look at the relevant Articles and Recitals that inform them.
The territorial scope of the GDPR is set forth in Article 3, found on page 110 of the original document. Article 3 sets forth three provisions through which a company can determine if they are considered bound by the GDPR.
- The first provision outlines that the GDPR covers organizations based in the European Union that process the of data of individuals, or data subjects, in the European Union. Importantly, personal data does not have to be processed in the European Union.
- The second provision states that organizations that process personal data for individuals within the European Union are covered by the GDPR, regardless of where they are actually based. This is important for companies or individuals located in the United States or other areas outside of the European Union, but which process personal data for individuals within the EU. Also important are the sub-articles embedded in this provision. The first states that the GDPR regulation covers organizations that offer goods and services to individuals in the EU, regardless of whether an exchange of money takes place. The second sub-article argues that companies or individuals that monitor the behavior of individuals in the European Union are also covered by this.
- The third provision in Article 3 points to the fact that the regulation is tied to international law, indicating that the regulations are applicable outside of the European Union.
The provisions set forth in Article 3 of the GDPR are contextualized in greater detail in Recitals 22, 23, 24, and 25. Recital 22 provides greater context for the first provision in Article 3. The important point in Recital 22 is the fact that regardless of whether an organization based in the EU processes the data themselves, or outsources that data processing to a third-party organization, they are still bound by the terms of the EU GDPR. The GDPR refers to this as a stable arrangement and argues that regardless of what form the arrangement takes the GDPR applies. For EU based companies that process their personal data offshore, they must ensure that all avenues of data processing are compliant with the GDPR rules and regulatory structure.
Recital 23 dives into detail about the second provision in Article 3 governing the processing of personal data of individuals in the European Union by an organization not based in the EU. This is an important Recital for legitimate businesses and organizations based in the United States as well as other areas outside of the EU. This Recital further reinforces the fact that while merely having a website accessible to people within the EU isnt sufficient to determine coverage by the GDPR, neither are the requirements set forth in the GDPR tied to an exchange of money. Important points in Recital 23 are that determining whether an organization is offering goods or services to individuals in the EU should be assessed by determining whether the organization envisages offering services to data subjects… in the Union. This indicates that when determining culpability for non-compliance, the regulatory body would take into consideration the context and intentions of the organization in question to determine if their intention was in fact to cater to individuals in the EU, which would bind them to the regulations set forth in the GDPR. The Recital goes further to suggest that while the mere presence of a website isnt sufficient to demonstrate this, the existence of language options catering to individuals in the EU, the ability to select a native currency on the website, or mentioning customers who are in the EU, would indicate the intention to offer goods and services to data subjects in the EU and thus would result in being covered by the GDPR.
Recital 24 is devoted to the second provision set forth in Article 3 of the GDPR as well, but is focused on defining what constitutes monitoring an individual in the EU. Remember that in Article 3 the GDPR states that offering goods and services or monitoring individuals in the EU is a determining factor in regards to whether a business is bound by the regulation. Recital 24 states that in order to determine this, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes. To clear up any confusion, natural persons are a reference to a real, identifiable individual.
This recital is saying that the analysis of individuals in the EU in order to determine key traits about an individual brings an organization under the umbrella of the GDPR. This is especially important given the recent news stories highlighting voter profiling done by the British consulting firm Cambridge Analytica which profiled users based on data gathered, often without their consent, from social media platforms like Facebook. While much of the controversy surrounding Cambridge Analytica has been tied to their efforts in the 2016 Presidential election in the United States, they had also worked extensively profiling individuals in other countries and have been tied to the controversial Brexit vote. Under the GDPR, an organization based in the United States that compiled profiles on individuals in the EU in order to determine things like shopping or voting preferences would be required to adhere to the regulations set forth in the GDPR.
Maintaining Compliance With the GDPR
Diving into Article 3 of the GDPR which sets forth the scope of the regulation, as well as the corresponding Recitals which contextualize the Articles, highlights the staggering complexity of the document. This complexity has already led to a high degree of frustration, not only from businesses attempting to figure out if they are in-scope of the regulation, but also in determining exactly what they must do to comply. We spent a brief time diving into Article 3 and the related Recitals, but consider that there are 99 Articles and 173 Recitals that a company must read, understand, and then apply to their organization in order to achieve compliance. The complexity of this task cannot be understated, and is affecting organizations around the world. As a recent news article in Verge points out, the vast majority of companies around the world arent fully compliant with the GDPR as of its effective date of May 25, 2018.
One of the most significant challenges that many companies are facing when attempting to bring themselves up to compliance with the GDPR is figuring out exactly how to become GDPR implementation compliant. Digging into the Recitals and Articles is a start, but only goes so far when the regulatory structure governing the GDPR isnt completely established as well. One avenue that many companies and businesses are taking to ensure that they are compliant with the regulation is to contract this effort out to a third-party risk assessor. There are a plethora of GDPR compliance services hitting the market, with even more expected to grow as the regulation begins to be enforced.
Many organizations are recognizing that they are behind the ball when it comes to achieving compliance with the regulation, and are thus looking towards first having a third-party assessor conduct a GDPR assessment on their systems and processes. To understand the requirements from a data security perspective, check out this essential guide to GDPR compliance. AGDPR assessment is an important step towards understanding how you need to structure your systems and processes going forward to achieve compliance and maintain it over time. Third-party assessors that offer GDPR consultancy services are an excellent tool for businesses which dont have the time, expertise, or knowledge base to independently bring their organizations up to speed. These services bring industry recognized data security experts into the fold to ensure that you are processing personal data according to GDPR requirements throughout your organization.