Outside Insights | October 2017 | By Guest Author

The Global Reach of EU’s General Data Protection Regulation

While the GDPR is EU-authored and focused legislation, its reach extends around the globe, including to the U.S.
The GDPR is an evolution in legislation governing personal data collection and management. thinkstock
Bookmark/Search this post
Email this story Email this story
Printer-friendly versionPrinter-friendly version

Read More About

In less than a year, a new data law will come into effect with sweeping implications for businesses that operate in the European Union; the General Data Protection Regulation (GDPR). While the GDPR is getting lots of media coverage, studies suggest considerable confusion about the requirements and how to go about achieving compliance.

At its most basic, the GDPR requires that businesses, in every sector, understand what personal data they have, how it was obtained, who has access to said data, where and how it is kept. To achieve compliance, businesses must go beyond this explanation and understand what gaps exist with current data management practices and procedures and new requirements under the GDPR.

While the GDPR is EU-authored and focused legislation, its reach extends around the globe, including to the U.S. In general, the legislation applies to businesses operating in the EU, however, even businesses without a direct presence in the EU may be subject to GDPR.

GDPR, like the current EU Directive, protects “personal data,” but it is important to understand what constitutes personal data under the new regulation. According to the GDPR, personal data is:

“any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

An important distinction with the GDPR definition is that unlike the EU Directive, Recital 30 makes clear that personal data includes online identifiers and location data. This has obvious implications. For instance, if a U.S. business uses cookies on its website and a visitor accesses the website from inside the EU, that could trigger GDPR requirements.

Consider a U.S.-based restaurant is looking to expand into the EU and commissions a study by a European consulting company. If the consulting company provides the U.S. restaurant with personal data collected from data subjects in the EU, then the U.S. company would be subject to GDPR requirements. Ultimately, the determining factor of whether the GDPR applies is not whether the company is based in the EU rather it’s where the personal data was collected. And now that identifiers like IP addresses and mobile device IDs are included in the definition of personal data, the legislation is truly borderless in its application.

While it might be tempting to ignore the new law, assuming that even if there is some incidental use of personal data under the GDPR and a subsequent breach, that as a U.S. company EU authorities could not effectively penalize it, that’s a mistaken notion and a big risk. Why? Treaties between the EU and U.S. would permit EU authorities to impose and enforce those penalties, even on those US companies without a direct presence in the EU, and the penalties for non-compliance of the GDPR are substantial including for some breaches equalling the greater of €20 million or 4 percent of global annual turnover.

Understandably, businesses may view the GDPR as an unwelcome burden but perhaps they should actually view it as an opportunity. Digitization is transforming all industries; the hospitality sector in particular. At its core, the GDPR forces businesses to align and adapt operations with the ubiquity with which personal data through online and mobile interactions now affect business. Preparing for the GDPR ultimately means preparing for digitization.

For compliance purposes, organizations must continually manage and update their data collection systems. It will be an iterative process, not a one-off activity, and businesses will need to look at three core areas: process, people and technology, right across the organizational landscape if they are to succeed. This is an integral part of having a defined strategy for information management and for having a strong grip on data governance. Businesses that are willing to embrace this challenge today not only prepare themselves for the upcoming requirements of the GDPR but also position themselves for commercial success is this age of digitization.

The GDPR is an evolution in legislation governing personal data collection and management. It’s implications are global, and hospitality businesses in the USA should look carefully at what’s required and how the GDPR might impact current and planned operations. The GDPR goes into effect 25 May 2018, so the time to start evaluating and preparing is now. Ultimately, even if the GDPR does not apply to a hospitality business today, taking the time to understand the legislation and adapt that business to align with the trends in digitization that underlie what the GDPR is all about, will position it for future commercial success.

Thomas Brooke is a legal and technology executive with a track record of success guiding companies from startup to growing and sustainable businesses, IPO’s, and M&A transactions. Thomas has substantial experience as a legal counsel to innovative companies providing online and mobile solutions around the globe. As Commercial Director for Preoday Ltd., Thomas provides legal guidance for Preoday's core commercial activities including offering consulting to its customers as they prepare for GDPR.