General Data Protection Regulation: Outside the EU

I recently got the oppCompass GDPR small.jpgGDPR Compassortunity to take on a new region with Veritas, covering a geography from Russia, through Eastern Mediterranean and Gulf countries and down through Africa.  As part of my role as CTO for the region, I have been validating the views of companies outside the EU on the topic of the GDPR and whether they see GDPR compliance as something to build into their plans.  I generally get asked the same questions by each customer or partner I meet and thought I would share how these discussions typically go.

 

 

The questions I regularly ask to get the ball rolling:

Do you do business with people residing in the EU?

It is important to note that if you hold offer goods and services to those residing in the EU, not just EU citizens, they are protected by the GDPR. Over the years many countries have joined the EU, and therefore have implemented local laws to meet the requirements of the 1995 EU Data Protection Directive, which set the guiding principles for laws in relation to holding and processing personal data of EU residents. Countries and organizations with this approach embedded into their policies would see the new requirements as an evolution of what they are doing today.

Do you have offices in EU countries?

If a company wants to continue to operate in countries and regions, they need to adhere to the regulations. Recent history has shown that when organisations have failed to adhere to regulations governing how they do business, they have to pay the fines, otherwise they will be unable to continue to operate.  For example BP was fined over the oil spill in the Gulf of Mexico, multiple international banks have been fined over the Libor-fixing scandal and Volkswagen and the emissions scandal.   If you don't pay the fines, there are examples of local regulators who have flexed their muscles and stopped companies operating.

Do you have data privacy regulations you are working with today?

As we have found with laws such as the  Protection of Personal Information in South Africa and the Turkish law on Protection of Personal Data (Kisisel Verilerin Korunması Kanunu, or KVKK). The way many countries seek to protect the privacy of individuals and the rights they have in how their personal data is used,  is broadly similar to the GDPR.  This is great news for many organisations, as this means the discipline is already embedded in the way they operate today and whether they are a data owner, or hold data on behalf of other companies, the basis is already there to develop GDPR compliance as an enhancement, rather than complete redesign.

Who else in you organisation is working on data privacy programs?

The more times I ask this question to IT teams, the more times I find out that there are already teams they have been working on evaluating their position on the GDPR. In some instances we have even used this question to re-introduce teams to each other and identify activities that can be worked on together, rather than re-inventing the wheel.  Personal data privacy is a company wide initiative and something that we see as a culture that needs to be embedded into what we do every day.

 

In summary, what we see is GDPR has relevance outside the EU and is a natural evolution of good practice in how personal data is treated and how companies can ensure they remain attractive business partners with the EU and its residents. If you want to find out more about how Veritas can help you with your GDPR compliance journey then click here. Alternatively, add a comment below and I’ll be sure to get back to you.