The good news about the upcoming General Data Protection Regulation (GDPR) is that it will apply both to small and large companies equally. This will ensure a fair competition and a strong set of privacy rules.
The entire privacy landscape will be revamped and made equal. Since the GDPR applies to EU data and is not based on the company domicile, this means there are no ways for large companies to avoid their GDPR obligations by moving to a non-EU country.
In other words, there are no loopholes that large companies can exploit and gain advantage over the smaller ones without a legal department to back them up. The principle is very simple – either you behave or you can stop doing business with the EU.
However, we are still far away from seeing compliance. Less than 50% of companies have begun preparing for the inevitable, and there is less and less time, as the GDPR enters into force on 25 May 2018.
Who Is Applicable
First, the companies should determine whether they are bound by the GDPR. In most cases, larger companies will be bound since most do business with the EU.
The company doesn’t need to be located in the EU in order for the GDPR to apply. It if has clients form the EU, or does business with EU companies, then data originating from these companies is protected by the GDPR.
Most large companies have their representatives in the EU, which means their offices must be GDPR-compliant without further ado.
However, GDPR could apply even if the company is marketing towards EU customers. This is determined by reviewing the marketing language, currency and the perceived target market. The only way for the GDPR not to apply is to block EU customers from visiting their website, or make it clear any EU visitors or shoppers have not been intentionally marketed towards.
In some cases, with limited EU-sourced data, the company may be exempt from the GDPR, but these cases are few and far in-between. Note that, barring unusual circumstances, the usual cross-border data transfer rules apply.
Companies with more than 250 employees must be careful to keep records meticulously. Companies can later use these records as proof of compliance with the GDPR provisions.
If companies introduce any changes regarding how they handle data, all their subsidiaries must be informed and records must be properly updated. This is an example of the GDPR compliance process being a continuous exercise, not a one-time action-
Companies must remember to appoint an official EU representative if they plan on doing business with the EU. The representative should be involved in the current privacy affairs. They will serve as contact points between the company and EU customers and institutions.
The representative should act according to the company directions, but is allowed to provide advice to the company’s headquarters. There are no set rules as to in which EU country the companies are obligated to appoint the representative, so they can choose whichever they see fit.