It doesn’t matter if your company is based in Toronto, Shanghai, Austin, or Cape Town: if you market to people in the EU, you are beholden to the legislation’s laws on how the user data of EU nationals is processed, gathered, and stored.
The GDPR states that EU nationals must not only give their express permission before a company can process or store their data—regardless of where that company is located—but also that companies must provide EU nationals with clear, easily understood opt-in processes that expressly state how users’ data will be stored, processed, or used.
Expectations of overseas businesses
It will be the responsibility of a company’s Data Protection Officers (more on that in a minute) or data controllers (ditto) to ensure that European users’ data is being sufficiently protected and/or anonymized; it will be the data controllers who will be among the first to be held to account if breaches or violations are reported.
Under the GDPR, data controllers will be expected to report all possible data breaches to the relevant EU authorities within 72 hours of detection. Furthermore, users affected by data breaches must also be notified by a company’s data controllers, with the exception of compromised pseudonymized data, which is not subject to the same reporting requirements as non-anonymized data.
Something else companies dealing with the GDPR will have to reckon with is storing records of user consent. Although it’s difficult to say with any certainty, I’d wager most companies keep minimal (if any) records concerning users’ consent to have their data stored or processed, but this will be an expectation — and legal requirement — under the GDPR. Companies must be able to prove that a specific user not only gave their initial express consent to have their data stored, but also that the user’s consent records are accurate and up to date.
What’s a DPO and do you need one for your business?
You may have a legal obligation to hire a Data Protection Officer (DPO) to ensure compliance with the GDPR. However, there are exceptions. You only have to hire a DPO if:
- Your organization is a public authority (i.e. a company that exercises control over the maintenance of public infrastructure or has broad powers to regulate public property)
- Your organization is engaged in large-scale systematic monitoring of user data
- Your organization processes large volumes of personal user data
Unfortunately, the official text of the GDPR as it stands today is unclear regarding the definition of “large-scale” data processing. Based on GDPR Recitals—legal texts that establish the reasoning behind certain acts within an item of legislation—we can infer the following…
Basically, if the data processing your company engages in as part of its day-to-day operations is beyond the realistically manageable workload of two professionals, it could be argued that this data processing is “large scale.”