A not small number of articles and comments repeatedly and inaccurately conveys the notion that the GDPR (General Data Protection Regulation) only applies to organizations
- processing PII*
- of prospects / clients
- who are EU citizens.
Let's keep it simple:
Every organization worldwide
needs to be GDPR-compliant!
Too simple? No - unless an organization's business mission is to never be in contact with anyone that breathes the air of the European Union, the provisions of the GDPR apply - whereas more precisely
- "Be in contact" means holding / processing Personal Data** (which accordingly is a superset of PII) about that "anyone",
- "Anyone" means a natural person in any role, e.g. being or representing a prospect, customer, job applicant, employee, cooperation partner, supplier, ...,
- "Breathes the air of the European Union" means physically is within the borders of the EEA*** regardless of their citizenship.
This been said, I believe it is safe to assume that excluding contacts with the EEA is not a sustainable business model. Moreover, a business does not necessarily have any control over e.g. its customers' choices where they may temporarily or permanently be (see also my post here).
Complementarily phrased: An organization is exempted from the provisions of the GDPR only if its business is established outside of the EEA, is local by nature and does not process any data relating to natural persons with whom it is in contact for business reasons.
* PII (commonly: "personally identifiable information", but more precisely: "person-identifying information")
** Personal Data ... means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [GDPR Art. 4 (1)].
*** EEA (European Economic Area / Since July 20th, 2018, the territorial scope of the GDPR includes Iceland, Liechtenstein and Norway - in addition to the EU member states.)
[Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.]