Web Gateways,

Designed for Distributed. Built for the Cloud.
Delivered as a Service.


The 5 Ws of GDPR Part 3: Who does GDPR Reach, Specifically?

We’ve given a primer on what the European Union’s General Data Protection Regulation (GDPR) entails and why businesses should care. But who specifically needs to be concerned about compliance, and how much leg work will it take?

A point that can’t be emphasized enough is that almost every organization collecting data is affected by the regulation. In fact, the official language of the GDPR reads:

“[GDPR] will impact every entity that holds or uses European personal data, both inside and outside of Europe.”

Therefore, businesses need to abandon the misconception that the GDPR pertains primarily to data sovereignty. The fact is that businesses don’t need to have an office in Europe or explicitly market to citizens within a member state to still require compliance: Even just collecting basic payment information from a group of customers on the continent makes a business privy to adherence.

Third-party pitfalls could be an organization’s undoing

There are nuances, however, to the different kinds of businesses that need to enact certain protections as part of compliance. For starters, a lot of companies rely on third-party organizations that call themselves “data processers” – essentially, cloud or data center providers that handle data or provide data services. Businesses need to be sure that all the suppliers and vendors that they work with are as versed in GDPR and vehement about enforcing it as they are, or else both entities could be prone to the highest fines.

There are also nuances when it comes to business size. Yes, it’s true that smaller companies aren’t as likely to be hit with game-changing fines for noncompliance, but regulators are still monitoring all data exchanges closely, regardless of the stakes. To help make sure this monitoring is comprehensive on the part of EU regulators, larger businesses with more than 250 employees will become duty-bound to hire a data protection officer (DPO) that reports directly to the EU and monitors for violations.

This makes skirting responsibilities – especially for larger entities – almost impossible.

To learn more about the facets of GDPR, download our latest whitepaper on the topic, “The 5 Ws of GDPR: A Starting Points for Compliance.”


Simon Eappariello is the Senior Vice President, Product & Engineering, EMEIA at iboss