On 14th of April 2016, the EU adopted the General Data Protection Regulation GDPR, replacing the1995 Data Protection Directive. The new regulation came into force on the 25th of May 2018, giving companies a two-year grace period to fully comply. Among the numerous critical requirements, the need…
The reach of GDPR outside of the EU
The adoption of GDPR sparked a debate on whether non-EU companies that don’t process personal data of EU residents should comply with the regulations or not, even though they are not obliged by law. In this article, we will discuss the benefits of voluntary compliance for non-EU companies.
As stated in Art.3, all controllers and processors who manipulate data provided by EU citizens must be compliant. Therefore, some foreign companies must comply with the GDPR if they want to continue working with EU citizens data. But how does this work exactly? And what about the others, is it in their benefit to also be GDPR compliant?
Representatives and DPOs
According to Art. 27 of the GDPR, the companies outside of the EU which process personal data of European citizens and do not have an establishment in the EU have to designate a representative in the EU. This representative can be an individual or a company located in one of the states of the EU. They are subject to mandates and take instructions from the company. They keep a record of the data processing activities, are available to receive inquiries and complaints and have to cooperate with the supervisory authority on behalf of the company.
Companies both inside and outside the EU, depending on their data processing procedures, will also have to appoint data protection officers (DPO). Compared to the representative, the DPO works more like a consultant and as stated in Art.38(3), the DPO works independently and does not take instruction from the company. He represents the company to the country’s data protection authority (DPA). Additionally, he assists the company to remain GDPR compliant.
It is clear that GDPR is here to stay and that eventually, other non-EU countries will set in place similar regulations (check out California Consumer Privacy Act). This means that sooner or later the standards set by GDPR will become the norm. Until then, these high protection standards will offer to anyone who adopts them a superior edge over the competitors.
It is a widespread belief that becoming GDPR compliant implies a lengthy and expensive process. Thus, the natural approach of a company with no contact with the EU is to consider the idea of complying. Looking at the bigger picture, following the path of voluntary compliance and adopting the regulations might be a very good long-term investment. Offering better data security will attract new clients and investors; the chances of having data breaches decrease due to regular audits. Even more, overall trust in the company will be higher as you can prove you took certain actions to provide better services for your clients. Even more, expanding and starting to work with EU citizens becomes a possibility that you will be prepared for.
As similar regulations to GDPR become the norm all over the world, you will be ahead of your competitors. You will also have experience in providing services while remaining compliant with the regulations. Furthermore, the public will know you as a trustworthy company.
GDPR-like privacy initiatives are on the rise. Trying to change habits and set new standards would be a healthy attitude for non-EU companies. Not only would they have an advantage when compared to their competitors, but they would also be prepared for the future changes in their own country that do not seem to be far away. Even more, having the trust of clients and investors alike, opens new possibilities for the companies, no matter their size. Taking everything into consideration and after doing the math, it seems that even costly, GDPR compliance brings only benefits.