Does GDPR Apply To Your Organisation?
GDPR makes a number of important changes to the existing data protection framework. One of the most important is its expanded territorial scope. Under the GDPR, the location of the individual whose data is being processed is a key factor, whereas the existing EU Data Protection Directive is more concerned with the location of the processing.
In practical terms, this means that the GDPR will now apply to organizations based outside the EU that offer goods and services to, or monitor the behaviour (marketing) of, EU-based individuals. For example, a US-based organisation selling goods or services to EU-based customer base and processing their data in the US could now find that they fall within scope of the GDPR.
This expansion of scope was set out as one of the main objectives of the GDPR and was designed to bring together the regime for organizations established inside and outside the EU.
If your organization/business is based in the EU and is using service providers who process personal data outside of the EU, you should assess their arrangements for compliance with the GDPR before May 2018. For further information on how you can work with suppliers to prepare for GDPR see this post on working with suppliers.
While the GDPR extends the protection of personal data outside of the EU, it does not affect the means by which personal data may legally be moved abroad. Transfers of personal data outside of the EU are based on mechanisms designed to afford adequate levels of protection to that data in the country it is transferred to. There are a number of legal mechanisms currently in use for such international transfers including EU adequacy rulings, model contract clauses, and the EU-US Privacy Shield to transfer personal data from the EU to the US. The GDPR also allows for additional mechanisms to be developed in future. You can find further information on existing adequacy agreements and examples of model contract clauses on the European Commission website. https://ec.europa.eu/commission/index_en
In a nutshell, GDPR aims to give EU residents peace of mind that their personal data is protected using the correct methods