Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826

territorial scope of the law

In the past, many small and medium sized organizations – unless they were in health care, financial services, or a few other highly regulated industries – didn’t have to deal with compliance issues.

The GDPR changed that. Taking effect in May 2018, its broad applicability had many small businesses scrambling to come up with a compliance strategy. When the GDPR replaced the 1995 EU Data Protection Directive, it greatly expanded the territorial scope of the law. The new law applies even to organizations that have no physical presence or employees inside the EU, if they collect, store, or process any personal data related to anyone who resides in the EU (not just EU citizens)

Under the GDPR, “personal data” includes much more than just sensitive information such as credit card and bank account numbers, government identification numbers, birth dates, and medical and financial information, addresses and phone numbers. It can also include such things as location data, online identifiers (such as user names or IP addresses), political opinions, job history, and “any information relating to an identified or identifiable natural person.”

But it’s not just about the GDPR. More and more states, nations, and international bodies are passing laws that impose privacy protection and other requirements on organizations within their jurisdictions. Within the U.S., those laws can differ from state to state, making it particularly difficult to keep up with which ones apply to you and whether you’re compliant.

Big multi-national corporations have entire departments and many employees devoted exclusively to keeping abreast of compliance issues and ensuring that the company meets the standards. Most SMBs don’t have that luxury.