Definition under the GDPR
The GDPR applies to:
• data controllers in the UK and EU,
• data controllers outside the UK and EU who offer goods or services to individuals in the UK or EU, and
• data controllers outside the UK and EU who monitor the behaviour of individuals in the UK or EU.
What does the GDPR definition really mean?
All UK businesses will be governed by the GDPR (and, indeed, any additional rules that the UK Government implements, such as the Data Protection Act 2018).
Non-EU businesses will also be caught by the GDPR if they provide goods or services to customers within the UK or EU, or monitor the activity of individuals within the UK or EU.
What are the significant changes brought in by the GDPR?
The major change is the extension of EU data protection obligations to businesses outside the EU. The previous UK data protection regime only applied to non-UK businesses who used equipment in the UK to process personal data. However now, the GDPR applies to non-EU businesses that provide goods or services to customers in the UK or EU, even if they don’t use equipment located in the UK or the EU in order to do so.
What effect has this had on non-UK businesses?
If the business is within the UK or EU, then the GDPR will apply to that business in the usual way.
If the business is outside the UK and EU, then the business must identify whether it offer any goods or services to UK or EU-based customers, or whether it monitors the behaviour of UK or EU-based data subjects and, if the answer to either question is ‘yes’, then the GDPR will apply to that business, regardless of their geographical location.
What will my business need to do?
If your business is located in the UK, or the EU, then there is nothing for you to do in relation to this particular issue.
However, if your business is located outside the UK and EU, and you have established that the GDPR applies to your business, then you need to take the same steps in order comply with the GDPR as are being taken by UK and EU businesses. Either that, or cease offering goods and services to customers in the UK and EU.
In addition, the GDPR will require you to appoint a representative in the UK or EU. That representative must be authorised to act on your behalf regarding your GDPR compliance, and to deal with data subjects and regulatory authorities. The identity of your UK or EU representative must be disclosed to your UK and EU customers, typically as part of your privacy policy.