The expanding scope of European data protection obligations to non-EU businesses

Posted Jun 1, 2017

The changes

The General Data Protection Regulation (“GDPR”) will, with effect from 25 May 2018, introduce a number of changes to EU data protection regime.  One of the more significant changes will be the expansion of its territorial scope.

The current EU data protection legislation applies only to businesses established in the EU.  Under the GDPR the reach of data protection law will be extended as follows:

  • Data controllers and data processors, based in the EU, will fall into its scope where personal data is processed “in the context of its activities“.
  • For those organisations with no EU presence, the GDPR will nevertheless apply whenever (1) an EU resident’s personal data is processed in connection with goods/services offered to him/her; or (2) the behaviour of individuals within the EU is monitored.

What should businesses outside the EU be doing?

Hewitsons’ data protection specialists are ready to assist businesses located outside the EU who do not at present come within the scope of EU data protection law but who should be considering whether they will become subject to the GDPR and, if so, what their compliance obligations will be.  Organisations without an EU presence but who target or monitor EU individuals should be preparing for the GDPR now by:

  • Understanding the GDPR and whether or not it will impact their business; and
  • If organisations do fall under the scope of the GDPR they should be undertaking a review of what personal data will be collected, completing risk assessments and putting a compliance plan in place.

For further advice on this or any other aspect of the GDPR please contact Valerie Lambert, Andrew Priest or Charlotte Bull at Hewitsons.