The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
There are a few definitions that will aid the understanding of the GDPR’s broad scope.
What is considered “personal data”? Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more.
Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection.
Generally speaking, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you.
NOTE: If your organization has any offices in EU and/or manages any vessels that employs Crew that are EU residents then GDPR applies to you.
Does the GDPR apply to US companies?
Unlike compliance standards that are industry-specific or apply only to certain countries (e.g., HIPAA and GLBA), GDPR is a global requirement that applies to any organization in the world that works with the data of EU residents. This means that any US company that stores the personal information of EU citizens is subject to the GDPR, even if it has no physical presence in the EU.