The EU’s General Data Protection Regulation (GDPR) has been a topic of conversation for many businesses worldwide since its introduction in 2018. For businesses on the other side of the world, there has been even more confusion for how, why and if the requirements apply. In this blog post, we’re exploring the practical steps and strategies needed to meet GDPR provisions – and also the importance of prioritising data protection, even if your business isn’t in scope.

Understanding the GDPR and its scope

To determine if your business is subject to the GDPR, it is important to consider two categories: establishment and targeting.

The establishment category applies to organisations with a presence in the EU, regardless of their size. Even having one employee conducting activities related to EU individuals can bring your business under the scope of GDPR.

The targeting category, on the other hand, involves offering goods and/or services to people in the EU or monitoring their behaviour while they are in the EU. Let’s dive deeper into that.

Targeting the EU market

To fall within the scope of the GDPR, intentional targeting of the EU market is required. Accessibility of your website from Europe is not enough to qualify as offering goods and/or services to EU individuals. The focus is on intentional and active efforts to attract customers from the EU. Geographical restrictions and specific marketing campaigns are factors to consider in determining whether your business is subject to GDPR.

Monitoring behaviour

This is a broad aspect of complying with the GDPR. It involves tracking or collecting data about individuals’ activities while they are in the EU. This can include:

• Targeted advertising based on location, or
• Collecting health data from wearable technologies, such as fitness watches.

An area of concern here is the use of cookies, as almost every website engages in some form of behaviour monitoring. If your website uses cookies and is accessible from Europe, you may still be subject to regulations.

Data processing on behalf of others

If your business processes data on behalf of another organisation (the controller), you may be subject to the GDPR if the controller is located in the EU or has EU customers.

As a processor, you must comply with GDPR regulations to support the controller’s obligations and ensure data protection for EU individuals.

Transient use and intentions

An important note to add: the transient use of your services by individuals passing through the EU does not automatically bring your business under the scope of the GDPR. To fall within GDPR requirements, intentional targeting and substantial presence in the EU are key factors to consider.

If your primary customer base is in a non-EU country and you are not intentionally targeting EU individuals, your business is less likely to be subject to the GDPR.

To conclude: GDPR compliance is crucial for businesses that operate in or interact with EU individuals. To determine if your business falls under GDPR regulations, it’s important to understand territorial scope, intentional targeting, monitoring behaviour, and data processing on behalf of your others. While it may not always be straightforward, taking a risk-based approach can help ensure data protection and build trust with your customers. Implementing privacy foundations and best practices, regardless of GDPR requirements, is a responsible approach to today’s privacy-conscious world.

‍