Where Does General Data Protection Regulation (GDPR) Apply


Although the General Data Protection Regulation (GDPR) was enacted by the European Union, its policies affected organisations based around the world. Any organisation which collects or processes data within the EU is subject to GDPR compliance, regardless of where their physical headquarters are based.

Even if an organisation only collects or processes data through subsidiary or branch of the main company which is based in the EU, they are bound to be compliant with GDPR. A thorough understanding of the implications of GDPR is critical to ensure that companies are in full compliance with the new regulations.

Most organisations which trade internationally are therefore likely to feel the effects of GDPR. However, the organisations which will be most strongly affected by the new regulations will be those based within the EU. For foreign organisations, individuals located in the EU may only comprise of a relatively small part of their consumer base in comparison to those based in their own country.

Therefore, only a small proportion of the data collected will have to be processed in compliance with GDPR. Following a similar line of reasoning, organisations based inside the EU will have a large proportion of their customers based in countries covered by GDPR, and therefore more of their operation is affected by the changes.

GDPR concerns the data collection of any individual, regardless of their nationality, who has their data collected while they are within the borders of an EU country. As a reminder, the EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.

Although the United Kingdom is set to leave the EU following their 2021 referendum, GDPR was introduced to their laws in May 2021 along with the other member states. GDPR standards have already been incorporated into UK law, and they will remain as part of the law even when the UK is no longer in the EU.

All organisations which operate within EU Member States must process data that is collected from anyone within their boundaries according to GDPR rules. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.

The GDPR Effect on Non-EU States

As mentioned above, GDPR will affect any organisation which handles data belonging to EU citizens, even if their headquarters are based outside of the EU. Despite the critical importance of the new regulations, organisations outside of the EU are less likely to be aware of GDPR and its implications on their business practices.

The complexities of GDPR may render them uncertain about the changes for them, and they may accidentally violate the regulations due to their ignorance.

The difficulties in adopting GDPR protocols will vary from country to country.  For example, the US does not have an overarching privacy law. Protections are in place for certain types of data; such as HIPAA which governs information about health, and the Gramm-LeachBliley ACT (GLBA) which regulates financial information. However, “general data” pertaining to individuals is not protected.

Following the implementation of GDPR, US companies are faced with needing two different systems to process of personal data in accordance with the applicable laws; one for data collected from anyone inside the EU, and one for data collected from anyone outside of the EU.

This added complexity may prove a hindrance for smaller organisations who may not have the resources to deal with these two datasets. Ensuring that all employees are familiar with two separate procedures invokes costly and time consuming training programmes.

A sensible solution may be for US based companies to adopt a “one-size-fits-all” approach to dealing with the personal data of individuals. A company may design a data collection and handling process which complies with both GDPR and US laws such as HIPAA.

Transferring Data Outside of the EU

Chapter 5 of GDPR outlines strict regulations which must be followed when transferring personal data to a third country or to an organisation outside of the EU. Data can only be transferred when an adequate level of legal data protection measures can be shown to be in place in the third country.

This is to ensure that the personal data of an individual is secure, no matter which country in which it is stored. According to the EU Commission, the US does not have a high enough level of protection for it to allow personal data to be transferred there. It remains to be seen if the US will change its data security policies following GDPR.

Data can be transferred to individual organisations, even in “non-approved” counties such as the US, if the organisation that is receiving the data can prove that it has sufficient safeguards in place to protect the data. These safeguards could include:

  • Data protection clauses that have been approved by the Commission.
  • Legally binding agreements between public authorities.
  • Certification by a Commission approved certification mechanism.
  • Binding corporate rules that apply between different organisations that form a corporate group.

Non-Compliance with GDPR

Any organisation that is found to be non-compliant with GDPR will face stiff fines. The maximum fines for non-compliance will be as much as either 4% of global annual turnover or €20 million – whichever sum is higher. It is therefore vital that organisations, based within or outside of the EU, are familiar with all of the requirements stipulated in the regulations.

In order to ensure that they are GDPR-compliant, organisations need to carry out an audit of the data they hold. They must verify its nature, check the content, and ensure the manner in which it was obtained meets the GDPR’s strict consent rules.