The EU General Data Protection Regulation (GDPR) came into force in May of 2018. One of the reasons that the EU introduced the law is to give people more control over their personal data.
The GDPR regulations and laws covers the “processing” of “personal data.” Article 4 (1) of the GDPR defines personal data as ‘information that can be used “directly or indirectly” to identify a person‘.
While this is a very broad definition. Aside from the obvious areas like a person’s name, it may also include a person’s:
- Email address
- Cookie data
- electronic Trails and fingerprints
- IP address (even where it’s a dynamic IP address)
“Processing” is also broad term. The GDPR laws and regulations covers any sort of automated data processing activity or filing (electronic or otherwise). This might also include:
- Asking our customers to fill out a contact form on our website
- Storing a list of phone numbers from our customer database
- Sending direct marketing emails
According to Article 3 of the GDPR, the regulation applies to any person or organization that:
- Offers goods and services in the EU (whether they’re charged for, or provided for free);
- Monitors the behaviour of people in the EU.
So, as our company is also offering goods and services in the EU. But we also still fall under the GDPR if you:
- Target EU residents with advertising cookies, or
- Store your EU users’ IP addresses in your log files
Does the GDPR Apply Outside of the EU?
The GDPR covers all processing of the personal data of people in the EU – whether the actual act of processing is performed in the EU or not. Not only EU companies have to comply. Companies based anywhere else in the world – for example the United States, Canada, Russia – must comply, too.
While some laws, like the upcoming California Consumer Privacy Act, only apply to certain types of companies, the GDPR could apply to anyone that falls within its scope – including individuals, charities, public bodies and businesses.
How we Comply with the GDPR