The multijurisdictional scope of the EU GDPR
Crucial to the General Data Protection Regulation (GDPR) and integral to the entire legislation, is its explicitly extended territorial scope. This rather ambitious piece of legislation obviously seeks to exercise control and impose sanctions in jurisdictions beyond the EU and when EU citizen data protection rights are at risk.
The GDPR will apply to organisations which have som form of EU establishments, where personal data are processed and in the context of their activities. If this criterion is met, the GDPR applies irrespective of whether the actual data processing takes place in the EU or elsewhere. In that context, GDPR applies to;
- Non-EU organisations who target or monitor EU data subjects
- Non-EU organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with and data or transaction.
Global organisations subject to the GDPR’s jurisdictional reach must appoint an EU-based representative. Let's take some examples;
E-mail to communicate and process personal data.
- A large IT services organisation, headquartered outside the EU but with (sales) offices in any country within the EU will be subject to the GDPR.
- Another example is a financial institution which has its data center outside of the EU but has branches in the EU, to serve its own as well as other nationals in the EU, as well as EU data subjects. Such financial institutions will come under the territory of the GDPR jurisdiction.
- Any e-commerce website, hosted and functioning outside of the EU but also caters to EU data subjects will need to comply with the GDPR, even if the data is stored outside the EU.
Personal data is stored on a multitude of databases, HR systems, personnel files, e-mails, archives, payroll system and a multitude of other sources including intranet, own or external websites, whistleblower systems and more. Information on customers is also stored in databases, e-mail and archives systems, CRM systems, mailing lists, and more. All these data components need to be scanned for all personal data.
Also, the new generation of computer logs used in the work systems and devices also involves processing of personal data. Payment transactions whether personal or online also entail processing of data. Processing even occurs when we give feedback on our colleagues during th4e annual appraisal. Therefore practically every technology device and database that is used in business processes involves personal data in some way. All these data components need to be scanned for all personal data.
Data Protection Officer
The DPO has also a vital role in the compliance enforcement of the GDPR. The most apparent added tasks and duties has to be the advancement of the organisational security and descipline issues within the data protection function. The DPO has to encompass the multiregional responsibility and not be concerned with only one jurisdiction and assume the global responsibility and create value to the enforcement duty, security function and streamline processes.
The framework and impact assessments are primarily based on industry best practices. Some global organisations that already have a data protection programme use various privacy frameworks. It is advisable that these frameworks include a tool for privacy impact assessments. With the GDPR, the focus must then shift towards these three areas to comply with the above;
- Adopt the prescriptive nature of controls in the regulation across many areas as described above
- Enhance the existing framework to reflect the multijurisdictional requirements of the GDPR
- Review the material and territorial scope of processing in the context of the GDPR regulation.
For more information on the material and territorial scope see;
Material Scope Article 2 Recitals 15-21
Territorial Scope Article 3 Recitals 22-25