The General Data Protection Regulation (“GDPR”) is the new legal framework that came into effect on the 25th of May 2018 in the European Union (“EU”), and is directly applicable in all EU Member States from that date. The GDPR’s focus is the protection of personal data, i.e. data about individuals, and builds on existing data protection laws, setting out the responsibilities of businesses in relation to the personal data they collect, hold, transmit and otherwise use.
The GDPR is extra-territorial in nature and applies not just to organizations within the EU who process the data of individuals but also organizations outside the EU who offer goods or services to individuals in the EU, or who monitor the behavior of individuals in the EU. Because the EU is a trading partner of most countries, the GDPR’s wider scope means it has implications for many businesses worldwide, and will effectively require them to be compliant if they wish to operate in EU member states either directly or as a third-party for others.
As one example, if a company based in the United States or Canada, or another non-EU country, collects or processes personal data of any employee, prospect, customer, partner, or supplier that is based in the EU, that company will need to be compliant with the GDPR.
