The Multi jurisdictional Scope of The EU GDPR. Waiting for The USA To Be Global

The EU General Data Protection Regulation (GDPR) is not explicitly a global law. However, it has in more ways than one become a de facto universal law for some businesses.In this globalised world where data knows no boundaries, it is often praised that many countries have now adopted the privacy principles and practice in their legislation making GDPR also a de facto global law for some countries.

GDPR applies to “all processing of personal data of EU residents” had scope for interpretation and debate however with the current enforcement regime, the ‘direct’ reasons why the GDPR will apply globally, and the ‘indirect’ effects of the directive law that will cause its application in any case. Even the direct statements of the law will apply to organisation’s which have some form of EU establishments or sale of goods and services even through the actual data processing takes place in the EU or elsewhere.

Crucial to the GDPR and integral to the entire legislation, is its explicitly extended territorial scope. This rather ambitious piece of legislation now exercises control and impose sanctions in jurisdictions beyond the EU and when EU citizen data protection rights are at risk.

USA to set a decent privacy standard like the GDPR

Therefore, due to the uniform global application even Apple’s chief executive Tim Cook said new regulations for the tech industry are “inevitable” in the wake of a series of scandals, rejoining a debate that is intensifying along with political pressure on the company’s rival, Facebook.

It is possible that Mr Cook claims that “the free market is not working” and politicians should step in, is a submission caused by the simmering tension between Apple and Facebook. He added: And it hasn’t worked here. I think it’s inevitable that there will be some level of regulation.

Apple makes most of its money from selling hardware, and advertising-based tech platforms, particularly like Facebook, have an issue in privacy.

US politicians have been discussing how to regulate tech companies for the last two years on issues that vary widely, including privacy, political advertising and competition concerns. When Tim Cook becomes a fan of regulation, it cannot be a matter of privacy but for profits, or privacy above technical innovation.Non-EU organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with any data or transaction.

All privacy data components need to be scanned for protection and compliance

Global organisations subject to the GDPR’s jurisdictional reach must appoint an EU-based representative. Some examples;

• A large IT services organisation, headquartered outside the EU but with (sales) offices in any country within the EU will be subject to the GDPR.
• Another example is a financial institution which has its data center outside of the EU but has branches in the EU, to serve its own as well as other nationals in the EU, as well as EU data subjects. Such financial institutions will come under the territory of the GDPR jurisdiction.
• Any e-commerce website hosted and functioning outside of the EU but also caters to EU data subjects will need to comply with the GDPR, even if the data is stored outside the EU.
• E-mail to communicate and process personal data.

Personal data is stored on a multitude of databases, HR systems, personnel files, e-mails, archives, payroll system and a variety of other sources including intranet, own or external websites, whistleblower systems and more. Information on customers is also stored in databases, e-mail and archives systems, CRM systems, mailing lists, and more. All these data components need to be scanned for all personal data.

Also, the new generation of computer logs used in the work systems and devices also involves the processing of personal data. Payment transactions whether personal or online also entail processing of data. Processing even occurs when we give feedback on our colleagues during th4e annual appraisal. Therefore practically every technology device and database that is used in business processes involves personal data in some way. All these data components need to be scanned for all personal data.

The central role of the Data Protection Officer (or similar function)

The DPO also has a vital role in the compliance enforcement of the GDPR. The most apparent added tasks and duties have to be the advancement of organisational security and discipline issues within the data protection function. The DPO has to encompass the multiregional responsibility and not be concerned with only one jurisdiction and assume the global responsibility and create value to the enforcement duty, security function and streamline processes.

The GDPR framework and impact assessments must be based on industry best practices. Some global organisations that already have a data protection programme use various privacy frameworks. It is advisable that these frameworks include a tool for privacy impact assessments. With the GDPR, the focus must then shift towards these three areas to comply with the above;

• Adopt the prescriptive nature of controls in the regulation across many sectors as described above
• Enhance the existing framework to reflect the multi jurisdictional requirements of the GDPR
• Review the material and territorial scope of processing in the context of the GDPR.

For more information on the material and territorial scope participate in one of our 1-4 day global certification seminars https://www.eugdpr.institute/events/or see;

Material Scope Article 2 Recitals 15-21

Territorial Scope Article 3 Recitals 22-25