Increased Territorial Scope
The territorial scope of the GDPR has increased relative to its predecessor. The scope is covered by Article 3 of the legislation;
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Naturally as you would expect the legislation applies to entities who have a location within the EU.
Where this legislation diverges is that it also encompasses entities who are offering goods or services to anyone residing in the EU, even if those services are provided free of cost.
So any global business either has to become compliant for all of its users/customers or be able to accurately identify EU residents and enable compliant systems to handle only that subset of the customer base.
Building and maintaining two separate information systems is no practical or cost effective, and the downside risk of making a mistake is too large to make it acceptable. It has therefore become normal practice for businesses to apply GDPR compliant information systems to all users, regardless of location.