Think EU GDPR Doesn’t Apply? Think Again!

EU GDPR blog post July 2016

I am surprised by the number of organisations that are yet to fully adopt a robust strategy for tackling the new EU GDP regulations both pre and post BREXIT.

From what I have seen sifting through endless amounts of freely available information it has never been too clear on what the EU GDPR has actually meant, how it will impact organisations and who it will impact the most.

But what has really surprised me is the number of organisations who no longer believe that the EU GDP regulations apply, or soon won’t apply, following BREXIT.

I have spoken to many clients and prospects from all over the globe in the past month since BREXIT and there are 3 common myths that I would like to debunk for organisations who have yet to adopt a robust strategy to tackle EU GDPR.

The Common Myths:

  • Organisations outside of the EU who think that they are also outside of the jurisdiction of EU Law
  • Organisations outside of the EU who do not have any office presence at all inside an EU member state
  • Organisations in the UK who no longer think that EU GDPR will apply to them post BREXIT

The Myths Busted:

The new EU GDP regulation will apply to any organisation which holds personal data of any EU Citizen regardless of where that data is stored. You do not necessarily need an office presence in an EU member state for the laws to apply. It is important to remember that the law is triggered if you handle data about EU individuals which has the potential to identify individuals within the EU. It is NOT about the location of that data.

Of course if you do have an office base in the EU then it doesn’t matter where your HQ is or where data of EU citizens is stored, the law will apply to your organisation and should be taken more seriously. The epic fines that could be imposed by the EU are not to be taken lightly!

On the note of BREXIT, the UK is for the time being still a member state of the EU and must abide by the EU GDP regulations. Indecisiveness by members of the board in the wake of BREXIT has lead to a slow adoption of the changes to the rules. The reality is that any UK business offering services to EU citizens – regardless of whether they hold any data in the EU – will now be playing catch as rules imposed by the EU are far more stringent than the ones in the current UK Data Protection Act.

Even post-BREXIT without properly adhering to the rules, trading with Europe is no longer an option for organisations.

If your peers do not appreciate that this is all about who the data is about and not where the data is stored then you may find yourselves using up a lot of your Cyber Security budget quicker than you think!

Danny Maher
Chief Technology Officer
HANDD Business Solutions


To discuss your EU GDPR strategy contact us by telephone on +44 (0)845 643 4063.