The European Union’s General Data Protection Regulation (GDPR) has been in effect since May 2018.

In essence, it regulates ‘personal data’ of EU residents — from collection to use, retention, transfer and deletion.

The GDPR is a European Union regulation – so I shouldn’t be affected as an international business, right?  Not necessarily, but we’ll tell you why.

The GDPR doesn’t just apply to EU businesses. It applies to any business that processes and collects personal data from an individual who resides in the European Union.

We know with the rise of online businesses and services, most international businesses are bound to be caught by the extra territorial scope of the GDPR and may have to comply with the GDPR — so let’s break it down.

Definitions

Firstly, let’s understand how things are defined in the GDPR.

Processing: this could refer to the use of personal data. It could encompass anything from collecting data to destroying it, and is a catch-all word to cover any operations on personal data.

Personal data: this could refer to any data that can identify a living person directly or indirectly.

Data that identifies someone directly could include a person’s name, address, email address, IP address or location data. If data identifies someone indirectly, it means it’s possible to identify someone by cross referencing different sources of data. By itself, this data may not be able to identify an individual, but combined with other data your company possesses, it may help to achieve a positive identity match.

‘Sensitive’ personal data: this class of data should be handled with extra care. It could include race, health status, sexual orientation, religious beliefs, political beliefs, genetics or biometrics, to name a few.

Controller: this is someone who determines the purpose and methods of processing personal data (for example, you as a business decide to collect a first name, last name and email address as part of your ‘controller’ role).

Processor: this issomeone who manages personal data on behalf of a controller (for example, a processor could be a marketing company that uses personal data for promotional reasons).

Data subject: any individual in the EU whose personal data is processed.

Do You Need A GDPR Privacy Policy?

It is important to think about whether you need to be GDPR compliant as an international business.

Businesses may need to comply in two circumstances:

  1. If the business has an establishment in the EU. This applies regardless of whether the business collects and processes personal data (and irrespective of where it is processed); or
  2. If the business offers goods/services to EU citizens or monitors the behaviour of individuals in the EU.

The GDPR applies to the data processing activities of all businesses, regardless of size. 

What Businesses Need To Comply With The GDPR?

Some examples of businesses that may need to comply with the GDPR include:

  • businesses with an office in the EU
  • businesses that target EU customers. This could include allowing customers to order goods and services in a European language other than English, or offering customers the option to pay in Euros
  • businesses whose website refers to EU customers or users (e.g. if you have mentioned them in testimonials or reviews)

What Do You Need To Do To Be Compliant?

We’ve already written about some quick tips on how to be GDPR compliant. But, essentially, there are seven main data protection principles that need to be adhered to.

1. Lawfulness, Fairness and Transparency

This principle is pretty straightforward. Organisations need to make sure they are clear about the personal data they are collecting. To do this, your privacy policy should state the type of personal data you’re collecting and what you’ll do with it.

2. Purpose Limitation

Here, the GDPR mandates that organisations should only collect personal data for a particular stated purpose and only collect personal data necessary to fulfil that purpose. There is more leeway for purposes in the name of the public interest or for scientific, historical or statistical purposes.

3. Data Minimisation

An organisation that collects personal data should only process this information in a way that fulfils its processing purposes. This is beneficial for both users and organisations because:

  • In the case of a data breach, there will only be a limited amount of personal data available.
  • Minimising the amount of personal data collected will make it easier to keep this data accurate and up to date.

4. Accuracy

According to the GDPR, ‘every reasonable step must be taken’ to erase or rectify personal data that is inaccurate or incomplete within 30 days of the individual’s request.

5. Storage Limitation

When the organisation stops having a need for the personal data, the GDPR mandates that it must be deleted.

6. Integrity and Confidentiality

In this requirement, the GDPR mandates that personal data must be ‘processed in a manner that ensures appropriate security of personal data’. While there aren’t specific measures specified in the GDPR (due to the fast-changing nature of technology), it simply requires all measures to be taken to ensure this.

7. Accountability

This is referred to as the ‘accountability principle’, which means exactly that. It commands accountability by requiring the controller to be responsible for and be able to demonstrate compliance.

Brexit: What Does It Mean For GDPR? 

The UK was one of the principal architects of the GDPR. But now that Brexit is well and truly underway, will you still have to comply with the GDPR if you have customers primarily in the UK?

After the transition period, although the GDPR will cease to automatically apply to business in the UK, it is unlikely that much is to change for businesses with UK customers.

Many of the GDPR articles are being planned to be translated into UK law as a ‘UK GDPR’, which will mean that compliance will largely stay the same. This means the extraterritorial scope and representative requirements will largely stay the same (but you’ll require a UK Representative rather than an EU Representative).

And, of course, the UK GDPR will be altered in scope to cover the personal data protection of UK individuals only.

All in all, for international businesses, the same level of compliance will most likely be necessary if you conduct business in the UK.

Key Takeaways

GDPR compliance extends beyond just having a GDPR compliant privacy policy or a cookie policy. It can be hard to know what you have to do to be compliant as there is a very high onus on businesses to protect individual personal data.

Whether you’re looking for a GDPR compliant privacy policy or specific ways to make your business compliant with GDPR — we can help! Send us an email at [email protected].

Abinaja Yogarajah
Abinaja is the Legal Operations Manager at Sprintlaw. After completing a law degree and gaining experiencing in the technology industry, she has developed an interest in working in the intersection of law and tech.
Lauris de Clifford
Lauris is a commercial lawyer at Sprintlaw. After working at a top-tier law firm, she has worked across NewLaw firms specialising in online businesses, privacy and employment law.
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're an award-winning, online law firm for small businesses in the UK.

5.0
(based on Google Reviews)
Do you need legal help?
Get in touch now!

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.

Related Services

GDPR Package

Ensure you're compliant with the GDPR
Learn More
Related Articles
Non-Disclosure Agreements In The Entertainment Industry
Posted 21st August, 2023
Why You Need Terms And Conditions For Your Online Business
Posted 21st August, 2023
How Do I Protect Customer Data?
Posted 19th April, 2023
Is It Legal To Have Workplace Cameras And Surveillance?
Posted 13th January, 2023
Setting Up An Online Pharmacy In The UK
Posted 25th October, 2022
Do I Have A Right To Be Forgotten?
Posted 29th August, 2022