Get in touch to discuss how we can make your brand GDPR compliant
The EU General Data Protection Regulation (GDPR) – FAQS How does the new law apply outside the EU?
- GDPR will apply if an organisation – regardless of location – ‘sells’ its goods / services directly to individuals in the EU or is ‘tracking’ them for analytics or advertising purposes.
- Failure to comply with the GDPR could mean a fine of up to €20m or 4% of annual global turnover (whichever is greater).
Q. What is the GDPR?
A. The GDPR is a new piece of European legislation that will replace the existing the EU data protection legal framework governing the use of personal data. It will apply across all EU markets from 25 May 2018(NB there is no grace period: organisations need to be ready by next May).
The GDPR builds on existing EU data protection law but seeks to give individuals more control over their data, such as strengthening the conditions when obtaining an individual’s consent and the right to ‘port’ their data. It also introduces greater transparency and accountability obligations on organisation’s processing personal data. The GDPR aims to update and streamline data protection rules across EU and EEA markets – ‘one continent, one law’ – aimed at making doing cross-border business easier.
The GDPR updates the law to reflect today’s digital economy where data is increasingly collected, used, shared and traded. It therefore brings more data into the ‘regulatory net’ – for example: the definition of personal data includes online identifiers, such as cookies and Advertising IDs – and potentially tightens the conditions for its use. It will therefore regulate the collection, use and sharing of data used in (a) digital advertising and direct marketing, including by brand advertisers, agencies and third party data partners; and (b) ‘owned and operated’ properties (e.g. ecommerce or publisher data from a digital property – website, app etc.).
Q. Why is it important to non EU and US brands?
A. The GDPR will apply to any organisation that is targeting its goods / services at individuals in the EU (NB not just EU citizens) or ‘monitoring’ their behaviour – regardless of location. For example: an EU resident visits a US brand’s website (hosted outside of the EU) that offers services beyond the US, including the EU, and that individual’s personal data is processed to enable them to directly obtain goods / services; or when that brand (or its data partners) processes the individual’s personal data for analytics or advertising purposes.
- This is a significant change to existing law where the rules apply to where the data processing equipment is located. The GDPR therefore has a global impact and US brands – large or small – may need to comply.
Q. What affect will Brexit have on the GDPR?
A. Brexit will not affect the GDPR. This is because (a) the territorial scope of the GDPR – see above; and (b) the GDPR will apply in the UK before Brexit and in some similar way after Brexit (e.g. an equivalent piece of UK legislation – the UK Government introduced a new Data Protection Bill into Parliament in September 2017).
However, Brexit may impact how the GDPR is enforced. For example, if an US advertiser is not physically established in the EU (including the UK post-Brexit) the organisation may not be able to benefit from the GDPR’s proposed ‘one stop shop’ system where an organisation operating across EU markets will deal with a ‘lead’ regulator rather than multiple ones.
Q. What are the penalties for non-compliance?
A. EU regulators will have the power to fine an organisation up to €20m or 4% of global annual turnover (whichever is higher). The level of fine will depend on the breach but this is a significant game changer. Under existing law, for example, the UK regulator – the Information Commissioner’s Office (ICO) – can issue fines of up to £500,000.
Q. Does the GDPR replace the ePrivacy Directive (aka ‘cookie law)?
A. No. The ePrivacy Directive (as implemented in most national EU markets) – which sets out rules on the storing of information or gaining access to information already stored on a device (e.g. via a cookie / Advertising ID) – remains in place.
However, the European Commission wishes to reform the Directive and introduce harmonized legislation with a similar territorial scope to the GDPR. Brand advertisers – including US ones – are likely to have to comply with this as well as the GDPR: the proposals (still to be agreed by Brussels policy-makers) may toughen the requirements for consent and how it is obtained (i.e.at browser / software level v publisher level).