GDPR: to comply or not to comply?
“Should my organization comply with the GDPR?” The answer to this question is not obvious. If your organization is established in the EU and processes personal data of natural persons, then the answer is certainly yes. Nonetheless, some company owners and managers think they do not need to comply. Especially in case their company is small and works B2B only, they may think they do not process data of natural persons. They do not consider that, even if they do not have employees, the personal contacts (like cell phone numbers and emails) which they have with other companies are personal data, and as such must be protected according to the law.
Once they have accepted this conclusion, they may go on assuming that they do not process “sensitive” data. Even if it may be true in case of companies without employees, whenever a company hires someone, he or she may fall ill for some days. Therefore, the employer (usually the human resources office) will manage the data concerning the illness, even if just in terms of days of absence from office. Nowadays, companies do not retain the illness certificate containing the diagnosis (according to the principle of data minimization) which must be processed by the company’s medical doctor only. Still, they do know the days an employee was absent because he or she was ill. Notwithstanding the fact that such data are conveniently minimized (as they should), they still represent special data according to the GDPR (Art. 9) and therefore must be adequately protected from unauthorized access.
If the organization is not established in the EU but sells goods or services in the EU, then it must comply, as it is always the case whenever a company wants to do some business abroad: it must abide by the local law. Even if the company does not sell anything but monitors the behavior of natural persons who are established in the EU, then it must comply. As an example, data mining companies (like former Cambridge Analytica) have to comply with the GDPR if they collect personal data of EU citizens from the web.
The last case is that of an organization which is not established in the EU but in a place where EU laws apply by virtue of public international law, and therefore it has to comply with the GDPR. A possible example is the embassy of a member state. In all other cases, the answer to the question above is no. In order to summarize the decision-making process, a flowchart may be adopted.
