GDPR's Impact on Non-European Data

Update: The European Data Protection Board released guidance in November 2018 clarifying that a processor processing non-E.U. data in the E.U. will still be subject to GDPR processor obligations (Article 3(1)), including having a data protection addendum with the controller. However, the non-EU controller will not be subject to the GDPR controller obligations.

**************************************************************************Yesterday, the Information Commissioner's Office fined SCL Election for not responding to a data subject access request by a U.S. professor. This decision reflects one territorial impact of GDPR that may be overlooked by companies coming into (or staying in) compliance with GDPR.

Namely, data about individuals residing outside of the European Union (E.U.) falls under GDPR if that data is transferred to, or is simply accessible to, a controller in the the E.U. For instance, GDPR will be a governing privacy law on data from U.S. consumers sent by a U.S. or E.U. based company to its parent company (the controller) in the E.U. This means that this company (the controller) would need to respond to data subject rights requests from these U.S. consumers.