... Are public comments inaccurately conveying the notion that the GDPR only applies to organizations
- processing PII*
- of prospects / clients
- who are EU citizens.
Let's keep it simple:
Every organization worldwide
needs to be GDPR-compliant!
Too simple? No - unless an organization's business mission is to never be in contact with anyone that lives in the European Union, the provisions of the GDPR apply - whereas more precisely
- "Be in contact" means holding / processing (at least contact) data about that "anyone" (may that data be PII or not),
- "Anyone" means a natural person in any role, e.g. being or representing a prospect, customer, job applicant, employee, cooperation partner, supplier, ...,
- "Lives" means resides (GDPR even more generally stipulates: is) within the borders of the EU regardless of their citizenship.
This been said, I believe it is safe to assume that excluding contacts with the European Union is not a sustainable business model. Moreover, a business does not necessarily have any control over e.g. its customers' choices where they may temporarily or permanently reside (see also my post here).
Complementarily phrased: An organization is exempted from the provisions of the GDPR only if its business is local by nature and does not process any data relating to natural persons with whom it is in contact for business reasons.
* PII (commonly: "personally identifiable information", but more precisely: "person-identifying information")
[Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.]