So May 25 2018 came and went, and the much feared EU Privacy law, GDPR, came into force. Did business stop as a result? No. So was this a Y2K beat up by the legal profession, spreading fear and doubt amongst the public? No. And here’s why.
There are real consequences for business that do not comply with GDPR.
The GDPR effects most business who deal with EU consumers, who use profiling in their marketing, monitor users’ behaviour on their website or who are in a supply chain that involves EU companies or EU consumers, which is pretty much most businesses. And of course if the company actually has an office in the EU, GDPR clearly applies to that company.
One of the requirements of GDPR is that a company must not "transfer" (which includes allowing it to be viewed online) personal data (which includes an individual’s email address and the IP address of a computer/mobile device) outside of the EU, unless one of a limited number of GDPR exceptions applies. The problem arises in that the exceptions are so narrowly defined, that there is almost no commercially practical circumstance in which it is lawful for an EU based company to transfer personal data to Australia in a business to business context. So, after 25 May 2018, it may be unlawful for an EU business to send an email to a business outside the EU using the sender’s personalised email address or for an invoice to be sent with the account’s person’s name included as the nominated contact person.
What’s more the EU company risks a fine of up to up to €20m or 4% of global group turnover, whichever is the higher, if it does transfer the personal information in breach of GDPR. The business must also self-report the breach to the regulator, and failing to report the breach to the regulator will expose the business to a fine of up to up to €10m or 2% of global group turnover. Hence the warnings from the law firms.
So what happened on 25 May 2018, did the EU stop sending personal data outside the EU? It is true to say that generally nothing momentous happened on the day. There were well publicised examples of certain US online newspaper groups blocking access to their publications from EU based IP addresses, but business generally continued without interruption. But that is not to say it will stay that way.
Unlike Y2K, GDPR is a continuous event, requiring compliance each and every day, and as time passes, increasing number of complaints will be lodged by individuals, more companies will self-report data breaches (there have been more than 160,000 self-reported data breaches so far) and the regulators have become better resourced and are now taking a more aggressive approach to enforcement. Companies both in and outside the EU will become more familiar with both the rules and the consequences of breach, and as the weekly list of enforcement cases and their fines grows business are on notice.
As awareness grows, and the downside risks become increasingly obvious, then those in the EU will increasingly self-regulate and comply with their GDPR obligations more strictly. If you are in the EU, and transferring personal data abroad is going to expose your business to a €20m fine. That is a risk not many will want to take. If the exchange of data dries up, so will trade.
It is relatively easy to comply with both EU GDPR and UK GDPR representative requirements. By appointing and maintaining both an EU and a UK representative you will be compliant in both jurisdictions.
We are happy to act on your behalf, as your GDPR representative. Our monthly, flat-fee price is based on the size of your business.
Select your business size to appoint us as your GDPR representative in the EU & UK today.