Please note: this article is under review and will be updated once the UK leaves the European Union.
Definition under the GDPR
The GDPR applies to:
- data controllers in the EU,
- data controllers outside the EU who offer goods or services to individuals in the EU, and
- data controllers outside the EU who monitor the behaviour of individuals in the EU.
What does the GDPR definition really mean?
All UK businesses will be governed by the GDPR (and, indeed, any additional rules that the UK Government implements).
Non-EU businesses will also be caught by the GDPR if they provide goods or services to customers within the EU, or monitor the activity of individuals within the EU.
What are the significant changes brought in by the GDPR?
The major change is the extension of EU data protection obligations to businesses outside the EU. The previous UK data protection regime only applied to non-UK businesses who used equipment in the UK to process personal data. However now, the GDPR applies to non-EU businesses that provide goods or services to customers in the EU, even if they don’t use equipment located in the UK or the EU in order to do so.
What effect has this had on non-UK businesses?
If the business is within the EU, then the GDPR will apply to that business in the usual way.
If the business is outside the EU, then the business must identify whether it offer any goods or services to EU-based customers, or whether it monitors the behaviour of EU-based data subjects and, if the answer to either question is ‘yes’, then the GDPR will apply to that business, regardless of their geographical location.
What will my business need to do?
If your business is located in the UK, or the EU, then there is nothing for you to do in relation to this particular issue.
However, if your business is located outside the EU, and you have established that the GDPR applies to your business, then you need to take the same steps in order comply with the GDPR as are being taken by UK and EU businesses. Either that, or cease offering goods and services to customers in the EU.
My business has a parent company based in the United States, what do they have to do?
If that parent company will offer any goods or services to customers in the EU, or monitor the behaviour of EU-based individuals, then the parent company will have to comply with the GDPR in precisely the same way as your subsidiary business.
But that’s ridiculous – surely a UK or European law can’t govern an American company?
Yes, the GDPR does in fact govern some American companies.
Indeed, there are a number of American laws that govern aspects of UK business, particularly in relation to anti-bribery and financial crime.
What about after the UK leaves the European Union? Will the GDPR still apply to UK businesses?
Yes and no. On the UK’s exit from the EU the GDPR will cease to apply, however it will be replaced by a mirror version of the GDPR called (imaginatively) the UK GDPR. Save for a few exceptions, the UK GDPR will match the GDPR, though changes to the GDPR will no longer flow down into UK law automatically, which could lead to the GDPR and UK GDPR diverging on certain issues in the future.
This briefing will be updated further following the UK’s leave date, please subscribe to receive legal updates by email if you would like to be notified when this article is updated.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- EU means the European Union, which consists of the UK and 27 other member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain and Sweden).
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, eg. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.