Does the GDPR Apply to Your Organization? 3 Examples
In the lead-up to May 25, 2018, when the EU General Data Protection Regulation (GDPR) became enforceable, we saw many organizations scramble to prepare. The question of “When does GDPR apply?” was common.
Data security leaders at companies located in the EU or doing business with people in the EU invested time and money into assessing GDPR compliance readiness.
They have since set up new data collection and security processes, technology, and controls to ensure they comply with the GDPR.
We also know some U.S. organizations have struggled with day-to-day decisions about when the GDPR does or does not apply to their data processing activities.
In our conversations with some clients, we heard three common misconceptions about GDPR applicability:
- Collecting data from public sources
- Personal data masked from internal teams
- Data stored outside the EU
Below, TrustArc’s privacy experts share their insights on these three misconceptions and suggest some things to consider in your company’s GDPR applicability analysis.
Example 1: Collecting Personal Data from Public Sources
Common misconception: the GDPR does not apply to personal data collected from public sources
Some organizations believe that the GDPR does not apply to publicly available information about an individual because it isn’t ‘private’ information.
This belief might also include various qualifiers to justify it, including:
- Because the personal data was not collected directly from the data subject, the organization collecting it is neither a processor nor a controller
- Because the data was collected from fully public sources, the organization does not have a contract with anyone.
One example given to support this belief is a company managing a business directory. The directory was created by collecting information entirely from public data sources.
These business directories are common tools for networking. They typically allow people to search a business name and access information identifying the owners and any other people associated with that business, including contact information.
Expert insights on GDPR applicability and compliance
This idea might be appealing, but just because the personal information is collected from public sources doesn’t mean it avoids breaking GDPR rules.
Here is an overview of relevant articles in the GDPR:
- GDPR Article 2 explains how the material scope of the regulation “applies to the processing of personal data”
- GDPR Article 4(2) defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data…”
- GDPR Article 4(7) defines a controller, in part, as the entity who “determines the purposes and means of the processing of personal data”.
These articles make it clear that if a company processes the personal data of any individual in the EU – regardless of the original source – then the GDPR applies.
So, in the example of a company managing a business directory, the GDPR applies because it has collected names, job titles and business contact information (addresses, phone numbers and email addresses) about individuals located in the EU.
All this information qualifies as ‘personal data’.
There isn’t a loophole because the information was extracted from public sources. The company has clearly processed personal data and is effectively taking on the role of a controller.
It’s also important to remember an organization’s obligation under the GDPR that if they collect personal data about any individuals in the EU, they need to explain how and why this data was collected and used.
GDPR Article 14 unambiguously refers to “Information to be provided where personal data has not been obtained from the data subject”.
It includes requirements for controllers to explain:
- The original sources of the personal data
- The purposes of the processing (including the legal basis for processing personal data)
- The categories of personal data collected
- Identity and contact details of the controller
- Any recipients of the personal data
- How long the data will be stored
- The individual’s rights to request access and changes to, or removal of, their personal data.
Note: although we used business contact information in this example, be aware the GDPR does not differentiate between business and non-business contact information.
Example 2: Personal Data Masked from Internal Teams
Common misconception: masking personal data from internal teams is just as good as erasing it for GDPR compliance
We’ve also heard another interesting belief that masking personal data from internal teams is just as good as erasing the data internally and, in this way, the organization can comply with the GDPR.
The main justification seems to be that masking information – making sure it can’t be seen or used in any way by internal teams – meets the requirements for GDPR Article 17: Right to erasure (‘right to be forgotten’).
Expert insights on GDPR applicability and compliance
This idea doesn’t work for GDPR compliance because the personal data has not actually been erased: it has simply been hidden.
GDPR Article 17 defines the right to erasure as “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”.
It explains several reasons an individual (data subject) would want to exercise their right to be forgotten, and it defines the requirement to erase data under certain circumstances – but it doesn’t mention masking data.
Masked data can be unmasked, and even masked data still exists in an identifiable form. Therefore, an individual in the EU’s right to erasure (right to be forgotten) has not been met.
Example 3: Data Stored Outside the EU
Common misconception: moving the data center to store personal data outside the EU means the GDPR won’t apply
One of the biggest misconceptions is that if a company stores personal data outside the EU, then it doesn’t have to comply with the GDPR.
Some of the ideas we’ve come across and had to correct include:
- Companies operating in the EU thinking they’re immune to GDPR compliance rules if they already store or have already moved all their data to a data center outside the EU
- Companies can get a vendor outside the EU to collect the data for them
- Companies can bake in disclaimers and conditions in contracts with customers that release them from having to comply with the GDPR.
Expert insights on GDPR applicability and compliance
The location of a data center does not affect whether a company must comply with the GDPR. In fact, this issue is explicitly addressed in GDPR Article 3: Territorial scope.
Article 3(1) notes the GDPR applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”.
The second and third points of Article 3 explain how the GDPR applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union”.
Moving data from the EU does not eliminate the necessity to comply with the GDPR.
It can even add extra requirements, including:
- Proving the legal basis for trans-border data flow, if an organization moves personal data about individuals in the EU to a data center outside the EU
- Being responsible for how other organizations manage data on behalf of the organization.
One of the key intents of the GDPR is to prevent organizations from outsourcing responsibility. GDPR compliance can become more complicated when more companies are involved in managing personal data of individuals in the EU.
Even in cases where a controller customer outsources work like data collection, each party – the controller and the processor – has direct responsibilities, regardless of what is in the contract between the two organizations.
Data Privacy and Data Security are Equally Important
Before the GDPR was introduced, data security was often top of mind for many organizations, followed by personal data privacy concerns.
Any company developing systems and processes for GDPR compliance needs to treat privacy and security as equally important.
The European Commission makes it clear organizations are expected to protect the privacy of individuals in the EU when processing their personal data, and notes the GDPR applies to:
- “A company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed
- A company established outside the EU … offering goods/services (paid or for free) or … monitoring the behavior of individuals in the EU.”
The European Commission also notes some obligations of the GDPR will not apply to organizations if “processing personal data isn’t a core part of your business and your activity doesn’t create risks for individuals”.
The key here is knowing whether your organization’s data collection activities capture any information that could be used to identify any individual (data subject) in the EU, either directly or indirectly.
Article 4(1) in the GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’)”.
It also explains that along with common identifiers, such as name or identification number, information that could be used to identify a data subject includes:
- Location data
- Online identifiers
- References to “one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Your organization’s privacy policies and controls must take these other identifiers into account for all data collection activities during interactions with people in the EU.
Do you need support for GDPR compliance?
TrustArc’s privacy experts can help your company analyze when and how the GDPR applies to your data collection and data security activities.
We’re always ready to answer questions about approaches to help your organization comply with the GDPR and we offer a range of solutions to support your information security strategies.
