Many people talk about the General Data Protection Regulation (GDPR) nowadays with its pending enforcement on May 25, 2018. Since the GDPR is an EU law, does it only impact organizations located within the EU? An important thing to remember concerning GDPR applicability is that it depends on the location of the data subject. Consider the following scenarios:
- If your organization collects and processes the data of individuals residing in the EU, you need to comply with the GDPR.
- If you are not an EU citizen but your data was collected in the EU, the data collector and data processor must comply with the GDPR.
- If an EU citizen’s data was collected and processed outside of the EU, the data is not protected by the GDPR.
The purpose of the GDPR is to give every individual located in any EU member state the same protection of rights and freedoms. To protect the right to privacy, the GDPR seeks to highlight this right in the EU member states’ legislative framework aiming for a unified and secure approach to collecting and processing personal data across the EU.
The United States does not have the same legal framework covering privacy as the GDPR. The regulations covering the collection and processing of personal data depends on the type of data. For healthcare related data, it is subject to the Health Insurance Portability and Accountability Act (HIPAA). For financial data, it is subject to the Gramm-Leach Bliley Act (GBLA). Other types of data are not yet covered under American law. With the GDPR in force, it is likely that data gathered from within the EU will be processed and stored using different standards than data gathered from within the US.
Many US based organizations will likely struggle in the implementation and management of two different but parallel ways of data processing. The complexity of using different systems for managing different types of data gathered from different locations can impact efficiency of operations. It could possibly lead to mix ups and errors that result to fines or sanctions when respective regulations are violated.
When a single data falls under both or multiple sets of legislation, it can become even more confusing. For example, someone living in New York has his data gathered within the US. But if he takes a trip to Europe, his data is also collected within the EU. This can happen with a US-based multinational company like an online accommodation service or an electronics manufacturer. The company will then need to process the data from the same person using different systems to comply with different sets of legislation.
One solution that would likely simplify things is to use the same procedure of data collection and processing to all types of data whether collected in the EU or the US. It will take time and resources to create a system that will meet all legal and procedural requirements, but it will make up for the efficiency gained and risk reduction.