GDPR: Have businesses missed the trick by not thinking globally?

The General Data Protection Regulation (GDPR), which came in to effect on May 25, 2018, brought about some serious changes in data privacy. However, during the lengthy and somewhat confusing countdown, the majority of businesses only considered GDPR’s implications within EU boundaries; assuming that the legislation was something that US companies need not worry about.

This is simply not the case. While GDPR affects all companies within the EU, it also carries significant implications for companies across the globe who are dealing with EU customer data. By failing to recognise this, businesses can severely hinder their chances of operating successfully and efficiently across international markets.

Unboxing GDPR

GDPR aims to protect the ‘personal data’ of EU citizens by giving greater rights to individuals over how their data is used by institutions. The European Union introduced GDPR to safeguard its citizens amidst growing concerns around the safety of personal data.

What businesses need to know is that the definition of personal data has been expanded to include not just name and address, but also other types of data, including IP addresses, system IDs and cookies. Understanding the areas safeguarded by the GDPR umbrella is integral for any business going through the transition.

The Reach of GDPR

Businesses that operate from outside the EU need to consider the extent of GDPR’s impact. While GDPR is the most significant change to European data privacy and security we’ve seen in over 20 years, it’s also a major change to US data privacy security.

Any business that operates in the EU or with people in the EU (even if the company itself is not located there) may be subject to GDPR compliance. Additionally, if a US business uses data collected from people in EU member states for the purpose of targeted advertising, it is subject to GDPR.

Conversely, if an EU citizen is in the US and uses a website which is designed to be in the US, then GDPR does not apply. Also, if a website is considered global and does not use the language of, or accept the currency of, an EU member state, then GDPR will likely not apply.

In Summary

As a result of GDPR’s global reach, it’s imperative that businesses based on the other side of the Atlantic and further afield ensure they comply. Even the collection of personal data for something as simple as a marketing survey is subject to GDPR’s compliance rules.

What businesses need to do to ensure compliance is to understand the impact of GDPR, evaluate their exposure to the legislation and take the steps necessary to comply. Doing so will ensure businesses avoid fines and the potential reputational damage associated with non-compliance.

The key is to see complying with GDPR as a strong platform to grow and evolve in today’s data-driven world. There are, after all, benefits to ensuring your firm complies with the new legislation wherever it is based. These include lower admin costs, consistency, and client satisfaction, all of which have the potential to transform into increased revenue. In short, becoming compliant is as much about the journey as it is about the destination.


By Nathan Snyder, US Partner,  Brickendon.

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered.