<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">

GDPR applies to all EU member states, but what is different about the way the General Data Protection Regulation (GDPR) is implemented within the EU member states, is, unlike the 1995 Directive, the GDPR is not a Directive, guidance or best practice, but actual EU wide Regulation. This means that the GDPR is enacted across all of the EU member states, from the same date and in the same way that it was written and issued by the EU. The GDPR did not require adaptation and transposition into member state law, it is member state law.

The reason behind the GDPR

Part of the reason behind the GDPR, was the need to harmonise data protection controls across the EU, as well as bringing the EU’s data protection legislation up to date with the way in which the EU and the world operates, interacts, conducts business and communicates. In today’s world for example, within excess of 2 billion Facebook users alone, it is hard to imagine that when the previous data protection legislation was enacted, in 1995, it is estimated that less than 1% of the population had access to the internet, and that social media sites such as Explorer, Facebook, Ebay and Amazon didn’t even exist!

It is clear that the previous legislation did not adequately, or specifically provide protection for data used and communicated in today’s world, hence the need for the change and GDPR.

So, does it all just impact the EU then? Or does this piece of EU Regulation carry force and impact around the world? Article 3 of the GDPR details the territorial scope of the regulation as being “the processing of the reason behind the gdprpersonal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”, and “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or the monitoring of their behaviour as far as their behaviour takes place within the Union”.

So, to clarify, whether the data subject is in the EU, or the processing of data runs in or through the EU, GDPR will apply. However, one might ask oneself, that if a controller or processor is not physically located within the EU, how can they be penalised if they breach? A question I am sure is on the lips of a lot of non EU controllers and processors, given the increased level of fines that can now be made.

In short, the answer is – that such firms can still be penalised, as even though they may be physically located outside of the EU, to operate inside of the EU, or to process the data of an EU citizen,  the data controller or processor must still, according to Article 27 of the GDPR, designate a representative who shall act as a contact point for the processer or controller, with for example, the relevant supervisory authority.

Therefore, whilst this is an EU based regulation, the consequences of getting it wrong, could, be impacting the whole of the world, if they wish to trade in, with or through the EU.

With regard to the UK specifically and Brexit, the UK has made it clear that Brexit will not impact on the implementation of the GDPR and that indeed, if the UK wishes to trade with the EU and the world post Brexit, it will have to align itself to the data protection laws under which every other country operates.

Leave a comment

Tick

eBook: Essential Uncovered

Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

Download now

How to Manage the Compliance Personas in Your Company

Rory has no time for rules, especially the pointless ones that add a lot of work for no apparent benefit. When he encounters such rules, his first thought is to find a work-around. Andy doesn't mind ...

Read More
FCA Compliance News - November 2018

An overview of the most recent and upcoming changes to FCA guidelines for senior managers...   Regulatory Update The last six weeks have been a very busy time for the UK regulators, with both the ...

Read More
Compliance Essentials News - November 2018

This blog is dedicated to bringing you the news that touches the people dimension of regulatory compliance. It's not only about regulations, policies, procedures and systems. It's also about people, ...

Read More
Getting personal: five ways to engage staff with compliance training

It's an on-going struggle for most companies to engage their staff with compliance training. There's a constant stream of new regulations and tweaks to existing ones. And many of these require ...

Read More