There is so much information written (and advice) about data protection compliance and in particular GDPR compliance. The problem for organisations that are outside of the EU is that most of this information is written for organisations inside the EU. This creates a lot of confusion and causes many organisations you are not in the EU to spend money and time on things they don’t need to do. The requirements for a non-EU organisation are different. Examples of non-EU organisations could be an Isreali startup, a large South African bank or an Indian BPO provider. The purpose of this lens is to look at the topic of data protection compliance through the eyes of one of these non-EU organisations and help them to take practical effective action that makes sense for them.
The outcomes for this module are for you to:
- Understand what impact the GDPR may have on your organisation.
- Be up to date on the latest developments.
- Discover key insights about the risks.
- Know whether you are asking the right questions by knowing what others are asking.
- See how you compare to others by seeing the results of polls on some common questions.
- Find out what to do, when, and how. This can be done at digestible bite sizes (even over the course of a year/several months).
[Note: This module is still under development.]
Who is this lens for?
Anyone who is responsible for ensuring an organisation outside the EU complies with data protection laws. For example, directors tasked with data protection compliance, executives who sponsor data protection compliance projects, members of data protection steering committees, data protection officers, information officers, Chief Privacy Officers, Privacy Program Managers, Data Protection Project Managers.
Introduction to and glossary of data protection terms
Must you comply with the GDPR?
How are data protection authorities outside the EU enforcing the GDPR outside the EU?
Is the GDPR being enforced outside the EU? Many clients are asking us this question. How are data protection authorities (or information commissioners) outside the EU enforcing the GDPR in their respective countries? For example, how is the Australian Officer of the Information Commissioner enforcing the GDPR in Australia against Australian organisations, otherwise known as APP entities, for non-compliance with the GDPR? Can we identify trends and are there some specific examples?
This article does not look at the enforcement of local data protection laws in countries outside the EU. For example, the South African Information Regulator taking action against South African organisations for non-compliance with the POPI Act in South Africa.
We have conducted extensive research on the Internet to answer the question. We found no instances of the GDPR being used to sanction a company outside of the EU by a data protection authority in their own country outside of the EU. Based on our research this has yet to have happened. No non-EU data protection authority has used the GDPR to sanction a non-EU organisation yet. If you know of an instance, please let us know. This is not to say that it will not happen in the future. Quite the contrary, we believe that it will start happening extensively in the future. Information commissioners around the world have formed enforcement networks so that they will be able to do so.
Data protection authorities outside the EU have fined organisations in their own non-EU country but they used their own legislation’s process, usually a complaints and investigation procedure that uses their website.
Data protection authorities inside the EU (like the ICO) have fined organisations outside the EU using the GDPR. For example, the ICO sent a notice to the Canadian company Aggregate IQ Data Services Ltd.
Written by a collection of Lexing members in countries outside the EU.
Some actions you should be taking now
Questions and answers
- Resource 1
- Resource 2 with link
- Resource 3 which might be a link to an article on the Michalsons website.