Cross-Border Data Transfers of Personal Data of EU Citizens
Given the very nature of today's digital world, GDPR not only affects organizations within the European Union. It also affects any organization around the world that collects, transfers, or processes personal data of any European Union citizen, including the United States and the United Kingdom, regardless of whether the UK "Brexits" from the European Union or not.
Written into the language of GDPR are certain rights for EU citizens to seek damages if an organization is found responsible for the mishandling, unauthorized collecting, or being the cause of a breach of their personal data regardless of their location. It adds specific new responsibilities that organizations must now follow in order to ensure that personal data remains inextricably secure even if business necessitates it to transfer from location to location.
As a result, EU organizations could actually begin refusing to do business with outside firms if they feel there might be even the slightest risk, especially if companies are unaware of GDPR, or unwilling to demonstrate compliance. This is why it would be sensible for organizations everywhere to prepare for this new regulation. They simply can’t afford to ignore GDPR.
GDPR encourages expansion of international trade and cooperation across borders as a necessary part of commerce, but also recognizes the importance of securing personal information of EU citizens around the world. As a result, GDPR requires that where organizations from third countries may be involved with personal data of EU citizens, or who manage EU data, those organizations must also comply by GDPR security standards regardless of there location.
EU organizations that conduct business with third countries outside the EU are responsible to ensure that the organization they are doing business with complies with GDPR, and these third-party organizations must be able to demonstrate that they are in full compliance of GDPR.
As the regulation indicates, "(101) ...A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organizations are complied with by the controller or processor."
Now is the best time to get ready for GDPR. If managing personal data is part of your overall business and you collect any information of citizens from an EU nation, you should closely review this new regulation.
GDPR goes into full force on May 25, 2018