How EU Data Protection Regulation (GDPR) effects non-EU organisations

In recent days we’ve seen the US headquartered Marriot Hotel group, finned a whopping £99.2M for data breaches. This fine was issued by the UK’s Information Commissioner’s Office (ICO). You may ask why a US company got fined by a UK authority under EU regulation – it’s a fair question.

An interesting, and significant, point of note about GDPR is its reach. The regulation protects all individuals whose personal data is processed in the EU, irrespective of their nationality or where they physically reside.

 Recital 14 of the GDPR notes that “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”

In general, if a product or service is offered within the EU then the processing of personal data must


comply with GDPR. This applies to most websites, online businesses and all organisations with operations in Europe.

Taking the Marriott case as an example; reports indicate that approximately 339 million of the hotel group’s global guest records had been affected. Of these records, around 30 million related to individuals in the European Economic Area and, within that, 7 million records related to individuals in the UK.

Each EU country may have one or more supervisory authorities for the purpose of GDPR. In the case of the Marriott the UK’s ICO is leading supervisory authority on this action. Which supervisory authority leads on investigations can be a complex question for non-EU based organisations. It may be depending on an organisations corporate structure, and location of the organisations designated data protection representative and on where an initial compliant is made.

GDPR has given all supervisory authorities the power to issues fines of up to €20m or 4% of annual revenue, depending on which is greater. In the past number of months we’ve seen this power exercised at an increased rate. As precedents are set and processes become familiar we can only expect the rate at which fine are issued to increase. It’s worth noting that the Marriott £99.2M fine was only 15% of the maximum possible fine that could have been issued.

Large organisations are likely to recover from these expensive and embarrassing episodes. However, when the medium sized organisations are hit with the same proportional fines the impact may be significantly more detrimental.

The take away is that GDPR is worth serious consideration for those outside the EU. Whether your organisation, big or small, operates within the EU it is worth considering your data protection obligations.