GDPR explained for Global Businesses

What is GDPR?

The General Data Protection Regulation 2016/679 (GDPR) is a directive under European Union (EU) law addressing data protection and privacy in the EU and the wider European Economic Area (EEA) linking the EU member states with the three European Free Trade Association states (Iceland, Liechtenstein, and Norway), as well as the transfer of personal data outside the EU and EEA. Regulators generally consider GDPR to be the toughest privacy and security law in the world. The GDPR  framework came into force on 25 May 2018, and it applies equally in all EU Member States. Since its departure from the EU, known broadly as Brexit, the UK incorporated a near-identical data protection regime, commonly referred to as the UK GDPR. For the purposes of this blog, we refer to both the EU and the UK regimes jointly as GDPR.

Most of the world’s developed and developing countries outside the EU and UK are now actively formulating a data protection regime modeled, at least to some extent, on GDPR.

 

Who do GDPR regulations apply to, and what are the risks of non-compliance?

Essentially, any organization in the world MUST be aware of and be compliant with all aspects of GDPR if it meets any of the two criteria below:

  • It is operating a business in the EU/UK, and therefore collecting (processing) personal information (data) from employees, customers, contractors, or 3rd parties, OR

  • Even where it has no operational EU/UK base (for example, it could be operating exclusively from the US), if it is collecting personal information from EU/UK residents

Concerning the latter, GDPR has what is known as “extra-territorial reach,” enabling EU/UK data authorities to pursue an organization for data infringements even where the infringing organization has no EU/UK establishment.  The test essentially focuses not on where an organization is established or is operating but on whether it processes the personal information of EU/UK residents.

CEOs and CFOs of businesses should note that regulators can impose financial penalties of EUR 20 million or even more for GDPR regulation infringements.  If an organization’s global turnover (revenue) exceeds EUR 20 million, then authorities in the EU/UK can impose penalties of up to 4% of an organization’s global turnover. Defaulting organizations have incurred a number of very large financial penalties since the introduction of GDPR in 2018. Each Member State of the EU, together with the UK, has its own national data regulatory authority, but while they are all subject to the same over-arching legislation within GDPR, it is open to each national authority to exercise discretion as to what level of penalty to impose for breaches, up to the maximum of EUR 20 million, or 4% of global turnover if greater.

Example: British Airways

In July 2019, UK regulators informed British Airways that they would impose a fine of £183 million GBP for serious GDPR infringements. Similarly, other EU data authorities have imposed other very large fines. Authorities in the EU/UK routinely impose much lower fines that still run to several hundred thousand Euros, plus legal costs and other expenses. Companies should not take GDPR lightly and most certainly should not ignore it! It is very risky for an organization to assume that they are too small or not in a sufficiently significant sector to attract the interest of these governmental authorities, all of them hungry for income no matter where it comes from.

 

How can a business comply with the requirements of GDPR, and avoid the risks and financial penalties of non-compliance?

Regulators established GDPR to protect the processing of personal information. In broad terms, there are two main aspects to achieving GDPR compliance, thereby avoiding the risk of incurring a large financial penalty.

First, it is necessary to have a number of specific GDPR policies and other documents prepared. These include:

  • An organization’s internal data protection policy,

  • An appropriate web-based external data protection policy

  • A data retention policy

  • An amending of an organization’s template contracts to include the required GDPR language for situations where the contracts are relevant to the EU/UK

  • A GDPR-referenced “Notice” template is prepared. GDPR requires companies to serve an appropriate, very specialized Notice on all employees and new hires as they join.

Second, on the technology side, the organization’s IT department must ensure all systems, internal and external, are technologically compliant with the strict GDPR data security requirements.

Where an organization operating a business within the EU/UK is also transferring data outside the territory, companies must ensure appropriate compliance mechanisms are in place to validate those international transfers of data. This is a fundamental legal compliance requirement under GDPR. Data authorities within the EU/UK have the discretion to impose large financial penalties for breaches of this requirement.

It should be noted that, uniquely for UK-operating businesses, in addition to being compliant with the provisions of GDPR, they must also be publicly registered with the UK national data protection authority. This additional requirement equally applies to an organization not based in the UK (for example, based exclusively in the US) that collects the personal information of UK residents.

 

How can HSP help clients avoid the potential risks and consequential financial penalties of failing to be in compliance with the requirements of GDPR?

HSP has a dedicated support team with considerable expertise and years of experience advising organizations on all aspects of achieving compliance with GDPR. Our GDPR Team also has many years of experience advising on data protection matters in most countries in the world outside of the EU/UK.

Our most popular solution is our fixed-price, turnkey, two-step GDPR Compliance Assignment. This engagement is especially popular with venture capital backed technology companies, and other emerging growth businesses, who may have only recently reached a point where they believe that GDPR compliance may likely apply to them but are not certain of what all the requirements are, or whether they are in full compliance.  This engagement includes:

  • GDPR Phase 1 – Carrying out a full initial assessment for a client’s business on their status of GDPR compliance, and reporting back accordingly

  • GDPR Phase 2 – depending on the results of Phase 1, undertaking all aspects of drafting and putting into place needed elements for full GDPR compliance, including the preparation of all required GDPR policies and documents (internal data protection policy, web-based external data protection policy, data retention policy, template contracts that include required GDPR language, and/or a GDPR referenced “Notice” template)

 

Summer 2021 would be a great time to get things in order relative to overseas expansion, including GDPR requirements, given the expected strength of the global economy in the second half of this year and on into 2022.  If you would like to learn more about how HSP Group’s GDPR Compliance Assignment can be of assistance, reach out and contact one of our experts at GDPR@hsp.com.

Relevant Blogs

Have Questions? Click Here to Get Them Answered!