3GDPR’s Scope of Application

Virtue is more to be feared than vice, because its excesses are not subject to the regulation of conscience.

— Adam Smith

Businesses and other organizations process data as a central component of their workflow or otherwise store data of their employees, customers or affiliates, etc. GDPR has broad scope and can be generally assumed to apply to all aspects of businesses and other organizations that receive personal data. Large Data ­Collectors must adapt and adhere to GDPR to reduce their exposure to liability in the long run. However, smaller businesses and organizations, particularly those or which principal activity does not entail receiving individual data, would find it hard to sustain the cost of ongoing GDPR compliance and would be concerned regarding the extent to which the regulation applies to their business ­activities. They have to balance between minimal processing, storage, and usage restrictions for individual information that may entail regulatory and reputational risks with comprehensive frameworks that would be cost prohibitive. Toward this goal, an evaluation of the applicability of GDPR is a critical first step toward its compliance. In this chapter we provide a framework for the assessment of the applicability of GDPR for individual businesses and organizations.

3.1 When Does GDPR Apply?

GDPR applies to all processing of personal data regarding the EU and its citizens.1 This deliberately broad definition establishes a universal ...

Get Data Privacy and GDPR Handbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.