ChatGPT: Uncovering the opportunities and threats for cybersecurity
ChatGPT's emergence has captivated businesses and individuals, offering potential productivity enhancements. However, it also introduces new threats to cybersecurity.
May 30, 2023
May 25, 2023
The EU’s General Data Protection Regulation (GDPR) has been a topic of conversation for many businesses worldwide since its introduction in 2018. For businesses on the other side of the world, there has been even more confusion for how, why and if the requirements apply. In this blog post, we’re exploring the practical steps and strategies needed to meet GDPR provisions – and also the importance of prioritising data protection, even if your business isn’t in scope.
To determine if your business is subject to the GDPR, it is important to consider two categories: establishment and targeting.
The establishment category applies to organisations with a presence in the EU, regardless of their size. Even having one employee conducting activities related to EU individuals can bring your business under the scope of GDPR.
The targeting category, on the other hand, involves offering goods and/or services to people in the EU or monitoring their behaviour while they are in the EU. Let’s dive deeper into that.
Targeting the EU market
To fall within the scope of the GDPR, intentional targeting of the EU market is required. Accessibility of your website from Europe is not enough to qualify as offering goods and/or services to EU individuals. The focus is on intentional and active efforts to attract customers from the EU. Geographical restrictions and specific marketing campaigns are factors to consider in determining whether your business is subject to GDPR.
This is a broad aspect of complying with the GDPR. It involves tracking or collecting data about individuals’ activities while they are in the EU. This can include:
If your business processes data on behalf of another organisation (the controller), you may be subject to the GDPR if the controller is located in the EU or has EU customers.
As a processor, you must comply with GDPR regulations to support the controller’s obligations and ensure data protection for EU individuals.
An important note to add: the transient use of your services by individuals passing through the EU does not automatically bring your business under the scope of the GDPR. To fall within GDPR requirements, intentional targeting and substantial presence in the EU are key factors to consider.
If your primary customer base is in a non-EU country and you are not intentionally targeting EU individuals, your business is less likely to be subject to the GDPR.
To conclude: GDPR compliance is crucial for businesses that operate in or interact with EU individuals. To determine if your business falls under GDPR regulations, it’s important to understand territorial scope, intentional targeting, monitoring behaviour, and data processing on behalf of your others. While it may not always be straightforward, taking a risk-based approach can help ensure data protection and build trust with your customers. Implementing privacy foundations and best practices, regardless of GDPR requirements, is a responsible approach to today’s privacy-conscious world.
“The pre-built policy was one of the most valuable features for us. And the list of action items we needed to get better. I can tell the board that we have a security policy in place and we're working through the list of standards. It's a really easy way to get your security sorted. That's the main thing for us ⏤ it makes our lives easier.”
Tane van der Boon
Founder & CEO