Part 1 – Assume it doesn’t apply…
With approximately 121 working days to go until the GDPR is enforceable, I’m still shocked at how many myths, misconceptions and just plain stupid ideas still surround GDPR. I recently spoke at Digit’s GDPR Scotland Event on the subject of GDPR Readiness: Dumb Ways to Fail, and over the coming days I’ll be sharing some of those failures to help your organisation to avoid them.
Even now, there are organisations in the EU, or processing personal data about EU residents who think they’re somehow exempt from the General Data Protection Regulation (let’s leave the subtleties of the Law Enforcement Directive and how it changes applicability for affected bodies out of this). At the recent DIGIT GDPR event, there was a question about whether charities might get some sort of special treatment when it comes to fines.
Applicability – and its extraterritorial quality under GDPR – is very clearly described in Article 3. In summary, if your organisation – whether public sector, private sector, third sector or anything else – is:
- established in the EU (regardless of where processing takes place)
- processing personal data about data subjects in the EU
- offering goods or services to EU data subjects (even if payment is not taken)
- monitoring the online behaviour of EU data subjects
- established in a territory where EU law applies
then the GDPR applies to some or all of your processing. For UK organisations it will apply for the 10 months before Brexit happens, and it will still apply to their processing of EU residents’ personal data after Brexit happens, and the new UK Data Protection Act will enshrine the same principles into UK law after that time.
If you’re unsure about applicability, then you need to answer that question very soon indeed.
Please suggest your own GDPR Dumb Ways to Fail in the comments, and we’ll add them to the list to be tackled in the coming days.