We’ve heard from a lot of companies recently that were surprised to learn that the EU General Data Protection Regulation (GDPR) applies to them. The Regulation, which takes effect in May next year, is huge in scope, unifying data protection laws across the EU. Its scale has led to many companies presuming that it only applies to companies that process large volumes of personal data. However, depending on a handful of factors, no matter what size a company is, it may be subject to the Regulation’s requirements. Here are a handful of questions to determine whether you need to pay attention to the GDPR:
Do you process EU residents’ personal data?
If you do, then the GDPR probably applies to you.
It doesn’t matter whether you are based in an EU state or not – if your company processes, stores or transmits personal data belonging to EU residents, then you will almost certainly be required to comply with it.
Are you engaged in economic activity?
The one caveat to that that the GDPR does not apply to people processing personal data in the course of exclusively personal or household activity. This means you wouldn’t be subject to the Regulation if you keep personal contacts’ information on your computer or you have CCTV cameras on your house to deter intruders.
To fall within the remit of the GDPR, the processing has to be part of an “enterprise”. Article 4(18) of the Regulation defines this as any legal entity that’s engaged in economic activity. You must be careful not to mistake business conducted from home for household activity.
Does your organisation have fewer than 250 employees?
The GDPR broadly expects all small and medium-sized enterprises (SMEs) to comply in full with the Regulation, but it makes some exceptions for organisations that have fewer than 250 employees.
The Regulation acknowledges that many SMEs pose a smaller risk to the privacy of data subjects than larger organisations. For example, Article 30 of the Regulation states that organisations with fewer than 250 employees are not required to maintain a record of processing activities under its responsibility, unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data […] or personal data relating to criminal convictions and offences”.
So, does the GDPR apply to you?
If you’ve now realised that the GDPR applies to your organisation, you should find out what your obligations are and how you can achieve compliance.
Our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course provides a comprehensive introduction to the GDPR and helps you understand the implications and legal requirements for organisations of all sizes.
The course is delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.
Hi Luke
Thanks for the article. I am still unsure about the following.
With a small group of friends I run occasional music gigs fin a small church in Leeds. We have a email mailing list of people who have bought tickets for our gigs or who have otherwise asked us to put them on our mailing list. We do not hold any information apart from name and email address. Does the GPDR apply to us? We are not a company or an otherwise “legal entity”, we are just a bunch of friends. We do most promo through our facebook page.
Also, I have lots of friends and acquaintances who are musicians/in bands and this lead to me wondering if GPDR will apply to them? Again they have email mailing lists of fans, but are not “companies” or (as far as I know) “other legal entities”
Thank you,
Confused in Leeds
PS How long did the kg of jelly beans take to eat?
It depends if you’re raising any money from your gigs. The GDPR defines an “enterprise” within Article 4(18) as any legal entity engaged in economic activity.
If that applies to you or your friends/acquaintances, you’ll need to put in place all the requisite GDPR compliance requirements. I suspect that might more trouble than it’s worth, in which case you could look for ways to spread information about your band without collecting personal data.
Hi Luke,
My company has contact details of employess of our customers which use for general day to contact (technical support, general queries etc). We don’t use it for marketing or any kind of unsolicted sales. We are a small company of less than 50 employees. Would GDPR still apply to us?
Hi Dan,
The GDPR doesn’t just apply to marketing activities. It refers to all data collection that’s part of “economic activity”. No matter what size your organisation is, and no matter what you do with that information, the GDPR will apply if you are collecting EU residents’ data.
I run a village email service providing parish council information (agendas and minutes), information from various government departments (Health & Safety, Police, Trading Standards), village announcements (upcoming events) and any information useful to villagers. It is an entirely charitable venture with no economic activity involved and no product advertising or political messages. I have just over 100 people on my email list.
All my subscribers have personally applied to join over many years, their applications deleted after sign-up, and it will be a nightmare obtaining fresh applications (confirmations) for filing. So does GDPR apply in my case?
Sorry Luke, please forgive my bad manners in not thanking you for excellent article. I have passed it on to many who are troubled by GDPR.
Hi David,
The GDPR applies to any organisation involved in “economic activity”, and it’s not immediately clear if that applies to you. Economic activity isn’t limited to for-profit companies (charities are subject to the Regulation), nor does the data collection have to be directly related to economic activities (information can be collected for any number of purposes). It’s probably worth seeking legal advice from someone who is able to learn more about the data you collect and the way you use it.
Luke,
It is certainly confusing, but although I used the term ‘charitable’ my village email service really does involve no financial activity – no sign up fee, no fund collections, just the sharing of official and local information. What little costs are involved are funded by me as my small service to the village. Nor do I hold any personal information apart from the name and email address of each member of the list. But I will of course seek legal advice and thank you for your help.
If my company is located in Country X (outside EU) and processes data of EU citizens who reside in Country X (outside EU) is my company then liable to comply with GDPR?
Yes, Asha, that’s correct. The GDPR applies to all EU residents.
Is it “EU Residents” only, or also “EU Citizens residing outside of the EU”?
For example, an American living in Europe, is a EU Resident. A Dutch citizen living in the US, is not a EU Resident, but still a EU Citizen.
Can you clarify which of these scenarios make GDPR in scope?
Hi Simon,
The GDPR’s terminology makes this a bit confusing. The GDPR applies to anyone who is in the EU; that typically means residents, but it also refers to tourists/visitors — so ‘citizenship’ isn’t really relevant. In fact, confirming someone’s citizenship is a murky personal data situation itself.
However, the GDPR also applies to EU citizens who aren’t in the EU (temporarily or permanently).
Both people in your example would be subject to the GDPR.
Hello Luke,
Some very helpful information here. Is there any difference between personal and business information? We hold business contact information for our customers but not their personal information. eg, a persons work phone, work address, work email etc but not their home or personal information.
Thank you.
Hi Jason,
The term ‘personal’ in ‘personal data’ doesn’t mean the same thing as, say, ‘personal life’ (as in one’s personal email, etc.). Really, it means anything that can identify one person from another. If someone has their own work email address or phone number, it would be considered personal data.
Thanks Luke. That helps. Excellent information here!
Hi Luke
Does the information you hold and the under the regulation ONLY apply to EU residents, or those outside of the EU? We have many Chinese clients and I was wondering whether we need to contact them as well?
Any help much appreciated!
Best regards
Tony
Hi Tony,
The GDPR only applies to EU residents’ personal data.
Hello Luke ,
Thanks for the article .
I do have couple of Doubts regarding GDPR , My company is basically into HealthCare Provider ( Hospitals) established and Operating in Middle East. We do have staff and Patients who are EU Citizens , Our concern is that whether our Company will fall under the Umbrella of GDPR. On an additional note Our Company is listed London Stock Exchange.
Second Company is into Pharmaceutical Manufacturing and we do exports to European Countries did this company also fall under the Umbrella of GDPR
Third Company is into Pharmaceutical Manufacturing and R&D , and this company is going for Clinical Trials in EU so did this company also fall under the Umbrella of GDPR ?
Thanks You
Hi Diljith,
Any processing of personal data belonging to EU residents (whether they’re staff or patients) falls under the scope of the GDPR. Similarly, if you are collecting personal data of EU residents while doing clinical trials, the GDPR applies.
Exporting goods to the EU doesn’t fall under the scope of the GDPR, unless you are collecting personal data while doing so. (Perhaps you have contact information of suppliers in the EU).
Hi Luke ,
To be more precise , my concern is over Citizen and Resident , in one article it’s mentioned that ” It should be noted that the GDPR does not apply to the personal data of E.U. citizens; it applies to the personal data of individuals who are in the E.U. when their personal data is collected from them. Those protections then follow that data if it is transferred outside of the E.U”
So if we have EU Citizen as Patient or Employee , did the GDPR implies to us ?
Ref : https://blog.willis.com/2017/05/the-e-u-s-general-data-protection-regulation-are-the-natural-resources-industries-ready/
Hi Diljith,
The article you reference is essentially correct. The GDPR applies to two sets of people. First, to anyone who is in the EU. That typically means residents, but it also refers to tourists/visitors. Second, it applies to EU citizens who aren’t in the EU (temporarily or permanently).
If you have EU citizens as patients or employees, the GDPR applies to you.
Hi Luke ,
When we went through the checklist for GDPR Compliance , there found a requirement for LSA ( Lead Supervisory Authority ). In our case we don’t have any establishment in EU countries and we do deal with EU Citizen data. In this case what will be the better option to comply.
Note : We do have one Acquired Entity in Spain.
Hi Diljith,
You should probably choose Spain’s data protection authority.
Hello Luke,
Does GDPR only apply if your customers are private persons not if they are other business (so B to B)?. I think of the individuals within organisations that you may keep business card type of information about.
Hi Anders,
The GDPR applies to all EU residents, no matter how you are related to them (B2C or B2B) or what personal data you hold on them.
Hello Luke,
We are a US based pizza company with online ordering system. Does GDPR apply to us if EU citizen is vacationing (or temporarily living) in US and orders a pizza from us providing their name, address and credit card info?
Hi James,
The GDPR applies to all EU residents (no matter where they are or the data is processed), so yes, the GDPR would apply. Given how complex it is to comply with the GDPR, you’d probably be better off finding a way to not collect personal data wherever possible.
Luke,
I just came across this scenario from another GDPR Blog that seems to contradict your response above. Can you please clarify or am I missing something here?
A tourist from the EU logs onto the website of a nearby US pizza restaurant from their US hotel. They provide personal data such as credit card details and name, to order a pizza delivery to their US hotel = GDPR is not applicable – this is not a product or service being provided in the EU.
Hi James,
That blog is wrong. The GDPR doesn’t make it especially clear, but eugdpr.org summarises: “The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects.”
Hi James,
Thank you for taking the time to post the article and reply to those with queries.
I am part of a committee who run free events to knowledge share construction best-practice.
We hold email addresses, names and job titles.
We take no money, all events are free and the email is only used to send out reminders to register for the next event and when the Christmas meal will be!
Is this excluded from the “Economic Activity” criteria; or should we prepare for the GDPR date?
It appears to be low risk to my mind?
Regards,
Pete Hughes
Hi Pete,
The GDPR doesn’t explicitly state what counts as “economic activity”. Although you might be okay, the term could broadly apply to any services offered, regardless of whether they were free or not (charities, for example, are subject to the GDPR). If you’re in any doubt at all, you should consult a legal professional.
Hi Luke
GDPR mentions data subjects “who are in” the EU
Some articles mention “citizens of EU” and others “residing in the US”
What are the correct considerations to have. It does make a difference if I am a German residing in Mauritius or I am a Mauritian residing in Germany
Thanks!
Hi Shameem,
The GDPR applies to two sets of people. First, to anyone who is in the EU. That typically means residents, but it also refers to tourists/visitors. Second, it applies to EU citizens who aren’t in the EU (temporarily or permanently).
The Regulation would apply to you in both scenarios you mention.
Does GDPR apply to NGOs that accept only donations and does GDPR apply to Government Organisations?
Does GDPR apply to your organisation? Since I have to leave my email? 🙂
Hi Darko,
Yes, the GDPR applies to government agencies and NGOs — provided they collect EU residents’ personal data.
Luke,
Does volume come into play at all? We have a call center in US that supports our US business, but occasionally we may receive call from UK customer with a complaint as they contacted us by mistake instead of the UK call center. The US call center takes their name, email address, phone number and passes info along to UK for follow-up. Last year there were less than 70 occurrences of this. Does our US call center need to be in GDPR scope if it is not intending to support UK customers.
Hi James,
There is no exemption for volume, so in theory, you would be subject to the GDPR. However, you’d probably be better off not taking down their information and instead giving them the UK number.
I own a repair buisness I keep my customers names written on a sheet of paper I am a sole trader how do I stand on the new regulations.
Hi Anthony,
First, it’s worth clarifying that the GDPR applies to any enterprise that collects EU residents’ personal data, no matter what size. Our blog has covered what sole traders need to do to prepare for the GDPR.
However, if you are only collecting names, you might be okay. A name by itself isn’t necessarily personal data. We’d always advise erring on the side of caution, though, and would suggest you consult a legal expert about your data collection process.
Luke, I’m not sure about the second part, personal data is any data that can be used to identify an indivual. Given the fact that I know the names and possibly the location of Anthony’s repair business, I can make educated assumptions, which by the Working Party 29 articles, raises the ease of identifiability, which leads to a higher severity score should there be a databreach.
As we said, a name by itself isn’t necessarily personal data: many names aren’t unique (like, say, “John Smith”). Knowing the location of the repair shop is academic; it’s not part of the personal data, and you’d need to do more research to connect the names to nearby addresses.
From what you write and other articles I have read, the GDPR would apply to the US Government when it is collecting visa or taxation information on EU citizens. If so, is this not a good example that the whole thing will be more or less unenforceable in most cases outside the EU? The pizza company example is small beer compared to the US Govt.
Organisations outside the EU that collect EU residents’ data need to select an EU supervisory authority, who will be responsible for enforcing the GDPR. A common criticism of the GDPR is how viable this is. Nonetheless, it’s the law, and any organisation that doesn’t abide risks strong punishment and reputational damage. If the US government were to be fined by another country’s supervisory authority, it would look very bad indeed.
Hi Luke,
Thank you for all your tips ! My question is if I am working with certain individuals in large companies, can I send a generic consent request to one of my contacts at that company or perhaps the CEO, or do I need to obtain the consent from any person I have contact with at that company. Many thanks !
Regards
Daniel
Hi Daniel,
It depends why you’re contacting these people. The GDPR only applies if you’re collecting and storing personal data. If you don’t plan on storing the data (i.e. you only want to email them for work-related (or personal) purposes), you don’t need consent.
Apologies but I have another (basic) question. The idea of GDPR is to protect data obtained in the context of your economic activity. Is the consent therefore required from the person you have obtained data from or from those you might be sending that data to, or both ??
Thanks again
Daniel
Hi Daniel,
Consent (or any lawful basis) is only applies only to the people you are collecting data from. But remember, requests must state what the organisation plans to do with that data, including whether it will be sent to any third parties.
Hi Luke,
We are not working directly with EU. If don’t meet the GDPR partly or at all , what is the possible repercussion?
Thanks,
Julien
Hi Julian,
Assuming that your organisation collects EU residents’ personal data (and therefore that the GDPR applies to you), your supervisory authority could put in place enforcement actions requiring you to meet the GDPR and possibly even fine you. In extreme cases, non-compliant organisations face fines of up to €20 million or 4% of their annual global turnover, whichever is higher.
Hi Luke,
Would GDPR apply to a school charity whose purpose is to raise funds for the schools resources?
Thanks!
Hi Dylan,
Yes, the GDPR applies to schools and charities. Given how time-consuming GDPR-compliance is, you might be better off finding a way of raising funds without collecting personal data. For example: cash donations with no names attached.