GDPR applies to “all processing of personal data of EU residents” had scope for interpretation and debate however with the current enforcement regime, the ‘direct’ reasons why the GDPR will apply globally, and the ‘indirect’ effects of the directive law that will cause its application in any case. Even the direct statements of the law will apply to organisation’s which have some form of EU establishments or sale of goods and services even through the actual data processing takes place in the EU or elsewhere.
Crucial to the GDPR and integral to the entire legislation, is its explicitly extended territorial scope. This rather ambitious piece of legislation now exercises control and impose sanctions in jurisdictions beyond the EU and when EU citizen data protection rights are at risk.
USA to set a decent privacy standard like the GDPR
Therefore, due to the uniform global application even Apple’s chief executive Tim Cook said new regulations for the tech industry are “inevitable” in the wake of a series of scandals, rejoining a debate that is intensifying along with political pressure on the company’s rival, Facebook.
It is possible that Mr Cook claims that “the free market is not working” and politicians should step in, is a submission caused by the simmering tension between Apple and Facebook. He added: And it hasn’t worked here. I think it’s inevitable that there will be some level of regulation.
Apple makes most of its money from selling hardware, and advertising-based tech platforms, particularly like Facebook, have an issue in privacy.
US politicians have been discussing how to regulate tech companies for the last two years on issues that vary widely, including privacy, political advertising and competition concerns. When Tim Cook becomes a fan of regulation, it cannot be a matter of privacy but for profits, or privacy above technical innovation.Non-EU organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with any data or transaction.
All privacy data components need to be scanned for protection and compliance
Global organisations subject to the GDPR’s jurisdictional reach must appoint an EU-based representative. Some examples;
Personal data is stored on a multitude of databases, HR systems, personnel files, e-mails, archives, payroll system and a variety of other sources including intranet, own or external websites, whistleblower systems and more. Information on customers is also stored in databases, e-mail and archives systems, CRM systems, mailing lists, and more. All these data components need to be scanned for all personal data.
Also, the new generation of computer logs used in the work systems and devices also involves the processing of personal data. Payment transactions whether personal or online also entail processing of data. Processing even occurs when we give feedback on our colleagues during th4e annual appraisal. Therefore practically every technology device and database that is used in business processes involves personal data in some way. All these data components need to be scanned for all personal data.
The central role of the Data Protection Officer (or similar function)
The DPO also has a vital role in the compliance enforcement of the GDPR. The most apparent added tasks and duties have to be the advancement of organisational security and discipline issues within the data protection function. The DPO has to encompass the multiregional responsibility and not be concerned with only one jurisdiction and assume the global responsibility and create value to the enforcement duty, security function and streamline processes.
The GDPR framework and impact assessments must be based on industry best practices. Some global organisations that already have a data protection programme use various privacy frameworks. It is advisable that these frameworks include a tool for privacy impact assessments. With the GDPR, the focus must then shift towards these three areas to comply with the above;
For more information on the material and territorial scope participate in one of our 1-4 day global certification seminars https://www.eugdpr.institute/events/or see;
Material Scope Article 2 Recitals 15-21
Territorial Scope Article 3 Recitals 22-25