As of May 25, 2018, the General Data Protection Regulation (GDPR) is in effect across the European Union. The GDPR replaces the 1995 Data Protection Directive and sets out strict new rules about how personal data must be collected, processed and stored by organizations operating in the EU and UK.
The GDPR applies to any organization that processes the personal data of EU/UK citizens, regardless of where the organization is located. This means that even if your organization is based outside of the EU/UK, you will still need to comply with the GDPR if you process the personal data of EU/UK citizens.
GDPR Countries 2024
The GDPR has been implemented in the following EU countries:
- Austria
- Belgium
- Bulgaria
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Greece
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- The Netherlands
- Poland
- Portugal
- Romania
- Slovakia
- Slovenia
- Spain
- Sweden
- United Kingdom*
* The United Kingdom is an outlier.
Although the UK has departed from the EU as of January 2021, the GDPR was enacted before its withdrawal and is therefore considered a valid UK law.
List of Non-GDPR European Countries
The countries listed here are in Europe but have not implemented the GDPR regulation:
- Albania
- Belarus
- Bosnia and Herzegovina
- Kosovo
- Moldovia
- Montenegro
- North Macedonia
- Russia
- Serbia
- Turkey
- Ukraine
Any organization in these countries that collects data in EU/UK member states is subject to the GDPR, even though they haven’t implemented the GDPR regulation.
List of Countries with data protection laws similar to GDPR
There are a number of countries outside of the EU that have implemented similar data protection laws, including:
Europe
- Switzerland (Personal Data Protection Law)
The Middle East
- Bahrain (Personal Data Protection Law)
- Israel (Data Security Regulations)
- Qatar (Law No. 13)
- Turkey (Law on Protection of Personal Data No. 6698)
Africa
- Kenya (Data Protection Act)
- Mauritius (Data Protection Act)
- Nigeria (Data Protection Regulation)
- South Africa (Protection of Personal Information (POPI) Act)
- Uganda (Data Protection and Privacy Act, 2019)
Asia
- Japan (Act on the Protection of Personal Information)
- South Korea (Personal Information Protection Act)
Oceania
- New Zealand (Privacy Act)
South America
- Argentina (Personal Data Protection Act No 25,326)
- Brazil (General Data Protection Law LGPD)
- Uruguay (Act on the Protection of Personal Data and Habeas Data Action)
North America
So if your organization processes the personal data of EU/UK citizens, you will need to be compliant with the GDPR. But what if you process the personal data of citizens of countries outside the EU? In this case, you will need to comply with the data protection laws of those countries.
What You Need to Know About GDPR Countries
The EU is a changing entity, as seen by the previous examples—and current events. Nations may join or leave the EU at any time. It’s up to each business or organization to stay up with the latest geopolitical situation and make changes as needed.
For example, the Ukraine conflict motivated their leadership to seek membership in the European Union. If and when their entrance to the EU is permitted, residents will be immediately safeguarded by the GDPR, so businesses must be prepared to change with the law.
This is also the case for the recent decision of the United Kingdom to leave the European Union. Businesses based in the UK must begin preparing for a possible shift in data rules.
In a nutshell, the EU is always in motion, and firms must be ready to change their compliance strategies as new members join or existing members leave. Companies can maintain their GDPR and other EU data regulations compliance by staying up to date on the latest political changes.
Exceptions and Considerations
The GDPR has two exceptions. The first is that it does not apply to “purely personal or household activities,” only “professional or commercial activity.” Individuals are not required to encrypt their address books or other privacy concerns (although this may be a good idea anyhow).
The second exception is for small and medium-sized businesses. If a company has fewer than 250 people, it is not exempt from the entire regulation. The record-keeping obligations, on the other hand, are considerably less demanding.
When it comes to creating their GDPR privacy policy, organisations must consider two things. The first thing, offering goods and services to EU/UK residents means that an organisation is subject to the GDPR. Businesses should develop their GDPR policy before a resident of the European Union becomes a customer.
The GDPR enforcement authorities will consider whether a sale is an isolated occurrence or if the company is targeting EU/UK residents. If a firm seeks to market its products or services in Europe, it must have a policy in place.
The second issue is when a firm collects EU/UK data without realizing it. Consider a small business in California that just sells goods and services to people in the state. What happens if an Italian visits their website and accepts their tracking cookies? Technically, they’ve acquired data from an EU citizen. Will they be fined if they don’t have a GDPR policy in place? While it’s unlikely, it’s conceivable.
Discover GDPR Advisor’s Solutions
No matter what your business goals are, it’s a good idea to have a GDPR policy in place. With GDPR Advisor, compliance is simple and easy, so you can focus on what you do best.
Our privacy toolset makes it easy to create a comprehensive GDPR policy, so you can be confident that you’re meeting all the necessary requirements. Whether you’re looking to expand your business empire or simply prepare for growth, GDPR Advisor can help you get the job done quickly and efficiently.
Contact us today to learn more about how we can help your organisation achieve compliance with GDPR.
