GDPR is fairly broad in terms of the businesses that it regulates. It applies to two broad strata of companies: (a) those that are “established” in the European Union and (b) those that process data of European Union residents.

If your business has a branch in the European Union, seeks to do business with any companies or individuals in the European Union, or processes data related to the offering of goods or services to individuals in the European Union, your system likely needs to be GDPR compliant. Likewise, if your business processes personal data of individuals who are in the EU at the time their data is processed, your system should be GDPR compliant. This means that GDPR applies to companies that are completely outside of the European Union if they are processing the data of EU residents.  GDPR has been absorbed into UK domestic law, so for all intents and purposes, GDPR will apply to the United Kingdom for the foreseeable future.

Leave a Reply