With less than 100 days to 25 May, many organizations outside the European Union have the same question: “Does the General Data Protection Regulation (GDPR) apply to my organization?”
The answer has to be “it depends” – although this is an answer that no one likes. You cannot immediately say yes or no. Instead, you need to take a step-by-step approach to identify the requirements of GDPR, the organization’s connection with the personal data of EU citizens and consult an attorney specializing in GDPR as needed. The answer to this question can only be given based on an analysis of the organization’s operations and usage of personal data, based on Article 3, which defines territorial scope. This article is really important for organizations outside of the EU to determine whether they need to adhere to GDPR. The article states that organizations must comply with GDPR if they offer goods or services to EU citizens, even without payment, or monitor behavior of EU citizens (data subjects). In today’s digital world, these practices are not rare.
The starting point should be to determine whether the organization processes personal data of EU citizens, either as a controller or a processor of data, or whether a part of your organization operates within EU borders. If the answer to one of these questions is yes, then it does not matter where your business headquarters are located. As long you are in the “place where Member State law applies by virtue of public international law,” you need to comply with GDPR.
To help guide this process, organization should perform a data protection impact assessment as a required element of GDPR. This is an initial step in determining the need to comply with GDPR in the process of GDPR implementation. Once the organization determines that it has to comply with the regulation, the compliance program must include all parts of data processing. Data processing “includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.” GDPR applies to both automated and manual data processing.
The organization being impacted by GDPR needs to assess, implement and comply with specific GDPR requirements. These requirements will impact the entire organization and how day-to-day operations are being conducted with respect to personal data. New processes and controls should be implemented to protect personal data of EU citizens and also to protect the organization from liabilities caused by non-compliance with GDPR.
Organizations that see 25 May not only as a deadline, but more as the starting point of a long-lasting GDPR compliance program, will have an advantage in processing personal data applying GDPR principles. Organizations should use this moment as an opportunity to implement best practices and realize benefits from GDPR.
Editor’s note: ISACA’s Implementing the General Data Protection Regulation publication is an educational resource for privacy and other interested professionals; it is not legal or professional advice. Consult a qualified attorney on any specific legal question, problem or other matter. ISACA assumes no responsibility for the information contained in this publication and disclaims all liability with respect to the publication. 2018 © ISACA. All rights reserved. For additional ISACA resources on GDPR, visit www.isaca.org/GDPR.