By now, you probably know that the European Union General Data Protection Regulation (GDPR) is coming into force in May 2018 (And if you don’t you can catch up here). But like most companies, you probably have a bunch of GDPR related questions. We have gathered the 3 most frequently asked and, of course, their answers.
Question 1: We do not collect or store personal data on European customers. Will we then not be affected?
It all depends on whether you store or use personal data on European citizens. That goes, whether those citizens are customers, prospects, partners or employees. If you have European employees, you probably store their names, addresses and bank information. Data like that is considered personal data in the eyes of the European Commission and you will be required to implement parts of the new regulation, for instance employees must give consent for the use of their data and have rights such as the right to rectification and you will need to be able to document all of this to authorities.
Question 2: We’ve heard that businesses with more than 250 employees need to hire a DPO. Is that true?
No, it’s not true. Although an early draft of the GDPR specified that the exact number of 250 employees was the trigger for whether or not you need a DPO, the final regulation does unfortunately not have quite as clear guidelines for this. In the final regulation, DPO’s are mandatory for all public authorities, for organizations that conduct large-scale processing of special categories of personal data (such as health data), and where the core activities of a business involve “regular and systematic monitoring of data subjects on a large scale”. Unfortunately this last definition is a bit vague, but as a rule of thumb most large retailers and organizations with more than 5000 employees will fall under this definition. If you are unsure whether or not this applies to you, we suggest you seek legal advice.
Question 3: Can we still transfer personal data outside of EU?
Yes, but the receivers will have to live up to certain data protection standards. The GDPR permits personal data to be transferred to non-EU organizations and countries which have been found by the European Commission to provide an “adequate” level of protection or under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
 GDPR, 2016/679, Chapter IV, Section 4, Article 37-39