The Impact of GDPR On Companies Outside of The EU

By Malin H. Teles

No one has escaped the information that the GDPR (The General Data Protection Law) came into effect on May 25th. It has a huge impact on businesses in the EU and EEA, but what does the regulation mean for businesses outside Europe?

To be able to understand this, we first need to understand what the GDPR is.

The law aims to provide citizens of the EU and EEA with better control over their personal data. Personal data in this context are considered any information related to a person such as, for example, name, photos, email address, bank details, updates on social networking websites, location details, medical information, or a computer IP address.

Companies need to offer the possibility for people to find out exactly what personal information the company has stored about them as well as demand that the information is permanently removed.

Moreover, the company needs to ask for permission to use the personal information every time the data is processed. A given consent can also be withdrawn at any time. This means that the company has to be able to prove that the individual agreed to the action in question – for example, to receive a newsletter.

So, what does this all have to do with businesses outside the EU or EEA region?

Well, quite a lot, it turns out. The regulation applies not only to EU based companies but to all organisations selling to and storing personal information about citizens (customers and employees alike) in Europe, including companies on other continents. The GDPR applies regardless of whether the data processing takes place in the EU or not. In other words, as an example, if you are a Brazilian based company that keeps a mailing list of customers in Europe, you will need to comply with the GDPR.

For companies that don’t comply with the law there are harsh penalties to be paid. The fines are estimated to up to 4% of annual global revenue or 20 million Euros, whichever is greater.The Impact of GDPR On Companies Outside of The EU

In practise, the GDPR changes many marketing and sales activities for a company. For example, the possibilities for prospecting, creating leads, mailing lists and the sending of newsletters and email marketing. Not even if you buy marketing lists from an outsourced provider are you free from responsibility. You must make sure that the information has the proper consent from the user.