Skip to content

Does the GDPR Apply to Your Business?

Does the GDPR apply to your business

Please note:
The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. 

The General Data Protection Regulation – or GDPR – is the overall regulation on the protection and handling of personal data for the European Union coming into force from 25th May 2018.

It may not be the most exciting of topics but no one working in digital marketing – or indeed any business that deals with personal data – doubts the importance of the GDPR. It brings changes to existing data protection law, and is designed to strengthen rights and empower individuals by giving them more control over their personal data.

Things such as clear consent and data protection principles are given greater emphasis. These changes to data usage could potentially have a huge impact on businesses and the way they handle their customer data.

If you’re an advertiser, publisher or other Rakuten Marketing partner dealing with customer data, it’s very important for you to have a robust compliance regime in place. If businesses aren’t compliant by 25th May 2018, the consequences could be drastic: warnings of fines of up to 4% of annual global turnover, or 20,000,000 EUR have been clearly laid out.

It may sound simple but one of the first steps to GDPR compliance is understanding whether the new EU regulations apply to your business. If you’re not in the EU, it could be easy to assume that the GDPR won’t affect you, when in reality this is far from the case. And what does Brexit mean for UK businesses and the GDPR?

Although the regulation is for the European Union, its significant impact is global. We’ve created this simplified diagram to help give you a clear, top-line understanding of whether the GDPR is likely to apply to your business. For a more detailed explanation, read the accompanying information below.

Does the GDPR apply to your business – simplified diagram

Does your business collect, use or process personal data?

If your business doesn’t collect, use or process personal data in any way, then straight away you know that the GDPR doesn’t apply. Be sure to remember, however, that just because the GDPR isn’t applicable, this doesn’t mean that other privacy protection laws won’t have an impact.

It’s also worth noting that the scope of ‘personal data’ is very broad and covers things that may not be obvious. Not only does it include things like name and address, but it may also include identifiers such as IP address and other things that might not be obvious if you’re unfamiliar with EU privacy law.

Is an office of your business in the EU?

If your business collects, uses, or processes personal data and has an office in the EU, then you will be required to be GDPR compliant.

Does your business offer services to the EU?

Even if you do not have an office in the EU, the GDPR will apply to your business if you offer services to anyone in the region. If you’re not sure if your business offers services to the EU, consider the following:

  • Do you provide your service in any European language?
  • Does your service use or accept any European currencies?
  • Do you specifically address EU customers?

If the answer is ‘yes’ to any of these questions, then it is likely that the GDPR will apply to you. Please note – this list isn’t exhaustive.

Do you monitor individuals in the EU?

Even if you don’t offer services to the EU, you may still monitor people in the EU and collect data from them. If this is the case, then again the GDPR will apply to your business and you will need to ensure compliance. ‘Monitoring’ includes things such as:

  • Profiling
  • Tracking by cookies or otherwise
  • Analysis of personal preferences/behaviour

What does Brexit mean for the UK and GDPR?

For businesses based in the UK, the decision to leave the EU has prompted questions about whether the GDPR will apply, and to what extent.

The UK government has made it clear that it intends to honour the GDPR in its ‘The Exchange and Protection of Personal Data – A Future Partnership Paper’:

  • The GDPR is due to come into force in May 2018 – before the UK leaves the EU
  • The UK played a “full and active part” in negotiations for the GDPR, and therefore the regulations reflect a key number of UK priorities
  • As such, the government has announced that it “will ensure that the UK’s [data protection] framework is aligned with the updated EU legal framework at the date of withdrawal” – i.e. the UK intends to honour the GDPR. Therefore, it is likely that UK businesses will need to continue to adhere to similar, if not the same, data protection regulation as the EU

GDPR: EU regulations, global impact

All of these points demonstrate that all global businesses need to care about the GDPR, not just those based in the EU. If your business comes into contact or uses data associated with anyone in the EU, it’s likely the regulations will apply.

Even if the GDPR doesn’t apply to your business, it’s important to be confident that that’s the case, rather than assuming it doesn’t apply simply based on where your business is located.

Want to learn more about the GDPR? Read our other resources here: https://rakutenmarketing.com/gdpr-resources.

Please note: The information and opinions within this content are for information purposes only. They are not intended to constitute legal or other professional advice, and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances.