It is important to understand that you need to comply with GDPR, even if you don’t have a legal entity in the EU. As long as you collect, process, exchange, or store personal identifiable information (PII) of EU and EEA citizens (referred to as Principals), you will need to ensure you comply with these regulations. Non-compliance and data privacy breaches may result in fines – up to 20 million Euro or 4 % of your global annual revenue – whatever is higher. You should really avoid that.
Many of GDPR requirements are focused on the legal basis for collecting and processing Principals’ PII. At its basis is the idea that collecting and processing Principals PII is forbidden by law – unless there is a legal basis (by law, contract etc.), or you have a clear - and evidence based - consent. This creates a clear “Data Privacy by Default” and “Data Privacy by Design” working standard for companies looking to do business with the EU and EEA states, giving Principals the opportunity to control the use of their PII, including if you intend to change the use of PII already collected.
The message is clear to companies: you are obligated to get the Principal’s consent BEFORE you collect data and for a new or changed consent BEFORE you change the purpose of the use of PII already collected.
The first data protection law was published in 1970 in the German federal state of Hessen. In 1974 the US Privacy Act was introduced. In 1980, the Organization for Economic Co-operation and Development (OECD) launched the first version of international data privacy principles, designed to ease the international exchange of information based on a common understanding.
