What are the GDPR (General Data Protection Regulations) implications on US residents selling into the UK and EU?
When expanding into Europe from the United States there is a whole lot of Compliance based regulations you must adhere to in order to legally sell online in the market without any risk to your products or business.
From being VAT registered, having a responsible person within the region, ensuring your product labels are correct there’s a lot to consider. This is all well before you even think about the rules surrounding customer data and what you can and can’t do with it legally.
In May of 2018, the European Union enacted one of the world’s strictest set of rules for personal data protection. The formal name of this legislation is the General Data Protection Regulation, but it is more commonly known as the GDPR.
The GDPR regulates personal data, which is defined as any information that can identify an individual, called a “data subject.” Affected companies must comply with data subjects’ wishes on how their personal data is processed, as well as keep records of how this processing occurs.
The GDPR is designed to give EU citizens more control over the personal data that organizations collect, process and store about them. The scope of the term “personal data” under the GDPR is significantly broader than most US compliance laws, which tend to only protect data that can be used to commit fraud.
Does this apply to me, a business based out of the EU?
In short, yes. Despite being based outside of the EU the GDPR recognizes that some non-EU companies do business with EU citizens only on an incidental basis. According to Recital 23, foreign companies are required to comply with the GDPR only if they target EU residents with their marketing. For instance, if you have a localized website in the language of an EU member state and/or list prices in Euros, you would be assumed to be targeting EU citizens and therefore would be subject to the GDPR.
In general, you may be held liable if any of the following conditions are true:
- You process the data of EU residents regularly.
- The rights and freedoms of those data subjects may be at risk.
- You process information related to special data categories, including health status, racial or ethnic origins, sexual orientation, or religious beliefs.