Businesses based outside the European Union

Definition under the DPA

The DPA only applies to:

  • data controllers in the UK, and
  • data controllers outside the EEA that use equipment within the UK for processing data.

What does the DPA definition really mean?

All UK businesses are governed by the DPA, whereas businesses in other EEA member states will be governed by their own national data privacy laws.

However, businesses outside the EEA will be governed by the DPA if they use any equipment within the EEA to process personal data. Any such business is legally required to appoint a data privacy representative that is located within the EEA.

Definition under the GDPR

The GDPR applies to:

  • data controllers in the EU,
  • data controllers outside the EU who offer goods or services to individuals in the EU, and
  • data controllers outside the EU who monitor the behaviour of individuals in the EU.

What does the GDPR definition really mean?

Again, all UK businesses will be governed by the GDPR (and, indeed, any additional rules that the UK Government implements).

Non-EU businesses will also be caught by the GDPR if they provide goods or services to customers within the EU, or monitor the activity of individuals within the EU.

What are the significant differences between the DPA and the GDPR?

The major change is the extension of the GDPR to businesses outside the UK. Previously, the DPA only applied to non-UK businesses who used equipment in the UK to process personal data. However now, the GDPR will apply to non-EU businesses that provide goods or services to customers in the EU, even if they don’t use equipment located in the UK or the EU in order to do so.

What effect will this have on UK businesses?

Actually, very little.

What effect will this have on non-UK businesses?

If the business is still within the EU, then the GDPR will continue to apply to that business.

If the business is outside the EU, then the business must identify whether it offer any goods or services to EU-based customers, or whether it monitors the behaviour of EU-based data subjects and, if the answer to either question is ‘yes’, then the GDPR will apply to that business, regardless of their geographical location.

What will my business need to do?

If your business is located in the UK, or the EU, then there is nothing for you to do in relation to this particular issue.

However, if your business is located outside the EU, and you have established that the GDPR applies to your business, then you will have to take the same steps in order comply with the GDPR as are being taken by other UK and EU businesses. Either that, or cease offering goods and services to customers in the EU.


So if I’m a small business located in Hampshire, I don’t have to worry?

No, not about this particular aspect of the GDPR, although you will still have to deal with all the other aspects of the new regulations.

My business has a parent company based in the United States, what do they have to do?

If that parent company will offer any goods or services to customers in the EU, or monitor the behaviour of EU-based individuals, then the parent company will have to comply with the GDPR in precisely the same way as your subsidiary business.

But that’s ridiculous – surely a UK or European law can’t govern an American company?

Yes, the GDPR will govern some American companies.

Indeed, there are a number of American laws that govern aspects of UK business, particularly in relation to anti-bribery and financial crime.

How are American and other foreign companies going to find out about GDPR?

Good question. The US media is unlikely to be reporting on GDPR in any real detail, and therefore it is likely that information will be disseminated via US lawyers to their clients.


  • Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
  • DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
  • EEA means the European Economic Area, which consists of the UK and the other 27 member states of the European Union, together with Iceland, Norway and Liechtenstein.
  • EU means the European Union, which consists of the UK and 27 other member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden).
  • GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
  • Personal data means any data from which a living person can be identified.
  • Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.

This briefing is based on the law as it stands in July 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.