This document provides guidance for companies outside the EU on complying with the General Data Protection Regulation (GDPR). It discusses how the GDPR applies extraterritorially to non-EU companies that offer goods/services to or monitor EU citizens. It outlines key GDPR concepts like personal data, data controllers, processors, and consent requirements. It recommends companies inventory all data storage locations, review contracts, and assess if a Data Protection Officer is required. It also covers data breach notification timelines and potential fines for noncompliance.

1. ECOSYSTM ADVISORY
www.ecosystm360.com | info@ecosystm360.com
39 Robinson Road, #11-01
Robinson Point, Singapore 068911
THEGDPRANDYOU:IMPLICATIONSOFTHENEWEURULESONORGANISATIONSOUTSIDETHEEU
Security & Compliance
This study provides guidance on some of the most important aspects of the GDPR for companies outside
the EU and describes some of its key implications with regards to organisational IT and governance. It
also offers some key practical advice on steps that can ensure compliance with the GDPR.
Report Author
Claus Mortensen
Principal Analyst, Digital Transformation & Cloud Computing
May 2018

2. 1
Contents
Executive Summary .......................................................................................................................................................................... 2
Overview........................................................................................................................................................................................... 2
The Advent of the GDPR ............................................................................................................................................................... 2
Key implications of the GDPR ........................................................................................................................................................... 3
As a Company Located Outside the EU, are you Affected? .......................................................................................................... 3
What Type of Data is Affected? .................................................................................................................................................... 4
What is Meant by Data Controller and Data Processor? .............................................................................................................. 4
How are the GDPR Consent Requirements Different?.................................................................................................................. 5
How can Data be Used?................................................................................................................................................................ 6
Are there Rules that Require Organisational Changes?................................................................................................................ 7
What do we Need to do in Case of Data Breaches? ..................................................................................................................... 8
What about Enforcement and Fines? ........................................................................................................................................... 8

3. 2
Executive Summary
The General Data Protection Regulation (GDPR) will not only affect companies within the European Union (EU) but also has the
potential to affect global businesses. This study intends to provide guidance on some of the most important aspects of the GDPR
for companies outside the EU and describes some of its key implications with regards to organisational IT and governance. It also
offers some key practical advice on steps to take to ensure compliance with the GDPR.
This study does not aim to be a comprehensive or exhaustive analysis of the Regulation, but merely to highlight some of the key
rules that could affect the internal processes of organisations within and outside the EU.
The key questions covered in this study are:
▪ Does the GDPR affect you?
▪ What type of data is affected?
▪ What is meant by Data Controller and Data Processor?
▪ How are the GDPR consent requirements different?
▪ How can data be used?
▪ Are there rules that require organisational changes?
▪ What do we need to do in case of data breaches?
▪ What about enforcement and fines?
Overview
The Advent of the GDPR
The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. It replaces the former Data Protection
Directive (Directive 95/46/EC) and while it has many similarities with the former Directive, the GDPR has wide implications for
companies across the globe, as it not only further restricts how collected personal data can be used, but also increases the
geographical scope in terms of data and companies affected.
Notably, the GDPR also gives the European Commission a powerful enforcement tool in the shape of potentially very hefty fines
for non-compliance. It also brings other significant changes that may require operational changes within your organisation. While
this study is not a comprehensive or exhaustive analysis of the Regulation, it highlights some of the rules that will potentially have
global implications.

4. 3
Key implications of the GDPR
As a Company Located Outside the EU, are you Affected?
The short answer is: Probably yes.
Even though your company and all of your data centres and cloud providers are located outside the EU, it is important to note
that the GDPR has what can be referred to as “an increased territorial scope”, laid out in Article 3(2).
In fact, most companies dealing with EU businesses’, residents’, or citizens’ data will have to comply with the GDPR - even if a
company does not have a European presence. This includes
▪ Data collected in connection with goods and services offered to that person
▪ The monitoring of their behaviour when these people are living or travelling within the EU
This does not mean that all Asia-based companies with a website and an online shop are affected. The key criterion is whether
they show “intention” of dealing with residents or companies located within the EU. It does not take much to demonstrate this
“intention” however. If a website offers local language translation in EU languages (other than English), if they offer currency
conversion into EU currencies or if they target EU citizens with advertising, then the intention is there, and they will have to
comply with the GDPR rules.
As for monitoring of behaviour when these people are living or travelling within the EU, this mainly concerns so-called profiling
data.
This would include tracking data collected such as:
▪ Online behaviour-based advertising
▪ Financial transaction data used for profiling and scoring for risk assessment (e.g. for purposes of credit scoring,
establishment of insurance premiums, fraud prevention and so on)
▪ Location tracking, for example, by mobile apps
▪ Monitoring of wellness, fitness and health data via wearable devices
A key thing to realise here is that this applies to all people, including travellers, located in the EU. So, if a Singaporean resident
goes to London on vacation and uses a made-for-Singapore app on his or her phone which collects location data, the GDPR applies
to such data and the Singapore-based company that launched the app must (at least in theory) comply with the GDPR for the
duration of that tourist’s holiday in London.
Although it is unlikely that the example above would result in any type of prosecution by EU authorities, it still highlights how far
reaching the GPPR is.
Businesses from outside the EU, whether controllers or processors (see below), that fall under the GDPR regime must appoint a
representative in affected Member States, unless processing is occasional and does not include large scale processing of sensitive
data (such as racial origin, health data, genetic data and so on) and is unlikely to result in a risk to the rights and freedom of
individuals.

5. 4
What Type of Data is Affected?
Article 2 of the GDPR states that the regulation applies to “the processing of personal data wholly or partly by automated means
and to the processing other than by automated means of personal data which form part of a filing system or are intended to form
part of a filing system.”
Under Article 4, personal data means “any information relating to an identified or identifiable natural person (data subject); an
identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.”
Affected personally identifiable information includes obvious personal data such as names, addresses, phone numbers, financial
data and healthcare information but can also include automatically collected data such as IP addresses and cookie data. The GDPR
introduces concepts like subject access requests (SARs), the right to be forgotten/right to deletion, and data portability and EU
residents now have a right to know what data is collected on them. This can be a huge concern for businesses when this type of
information can be stored in a great number of places from email and social platforms to HR, HCM, and CRM systems.
What is Meant by Data Controller and Data Processor?
The European Commission provides some insight into this via its supporting documents:
The data controller determines the purposes for which, and the means by which, personal data is processed. So, if your
company/organisation decides ‘why’ and ‘how’ the personal data should be processed it is the data controller. Employees
processing personal data within your organisation do so to fulfil your tasks as data controller.
The data processor processes personal data only on behalf of the controller. The data processor is usually a third party external to
the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking (e.g.
a subcontractor using another subcontractor).
The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract
must indicate what happens to the personal data once the contract is terminated. A typical activity of processors is offering IT
Key advice
▪ If you have any reasonable doubts as to whether your company is affected, then the best approach is to assume
that the answer is “yes” and take the necessary steps to ensure compliance
Key advice
▪ Ask yourself why you collect and hold data
▪ Stop collecting data you do not have a legitimate need for

6. 5
solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a
joint processor when it has received prior written authorisation from the data controller.
These provisions need to be inserted not only into new vendor contracts but also into existing vendor contracts.
Data processors are now jointly liable with data controllers, so if your organisation collects data on individuals and then
outsources the processing of that data to another entity, both you and they are jointly liable for that data.
How are the GDPR Consent Requirements Different?
The GDPR represents a significant change to the previous Directive when it comes to user consent. This means that the typical
multi-page consent forms are no longer feasible as it must be presented to the user “in an intelligible and easily accessible form,
using clear and plain language”. It also requires a clear consent action by the user, which means that pre-ticked boxes or taking
inactivity as a consent is no longer valid.
When securing a consent, the controller must provide “accurate and full information on all relevant issues,” including the nature
of the data that will be processed, purposes of processing, the identity of the controller, and the identity of any other recipients
of the data. Consent must be specific to the processing operations and the controller cannot request open-ended or blanket
consent to cover future processing. This means that if a company wants to use the data for other purposes than they have
originally stated, they must secure a new consent from the user unless the new processing operations are “compatible” with the
original purpose.
The GDPR gives data user the right to withdraw consent at any time and it must be as easy for the user to withdraw consent as it
was to give it. Controllers must inform data subjects of the right to withdraw before consent is given. Once consent is withdrawn,
data subjects have the right to have their personal data erased and no longer used for processing.
Key advice
▪ Make sure you have a full overview of which contractors, channel partners and vendors manage, use and store
your customer data
▪ Make sure that all contracts – including older contracts – are revised to comply with GDPR requirements
•
Key advice
▪ Ensure that your consent forms are updated and presented to all users in the correct form
▪ Make sure that you have clear internal guidelines for how collected data can be used within your organisation
and that the use in is line with the consent given
▪ Make sure all consents are well documented and updated
▪ Seek external legal counsel if you do not have the resources in-house
•

7. 6
How can Data be Used?
GDPR lists the six lawful reasons for processing personal data:
▪ Consent
▪ Contract
▪ Legal obligation
▪ Vital interests
▪ Public task
▪ Legitimate interests
Of these six reasons, the first two – consent and contract – will be the most relevant for the vast majority of companies outside
the EU.
Once you have identified the relevant personal information you have within your organisation and where it is stored, you need
to identify the lawful basis for having it or change your processes, so you stop asking for personal data you do not need.
One of the biggest headaches (especially for larger organisations) is where to find it. Data that resides in on-premises IT systems
can be fairly easily mapped out, but the ever-increasing use of cloud computing, BYO devices in the workspace and general
copying and proliferation of files represent a substantial problem. GDPR regulated information could reside in several places:
▪ Cloud apps, including shadow applications not approved by the organisation
▪ Cloud storage
▪ Online file-sharing services
▪ Removeable media such as USB drives
▪ Physical storage (file cabinets)
▪ Temporary files and other unstructured data
▪ Sandbox/test systems
▪ Backup systems
▪ Employee devices
▪ Third-parties – including contractors, supply chain providers and channel partners
While each one of these bullets might be a manageable task to map out on their own, the real problems for many organisations
is when they are combined into several layers: Individual business units may use cloud providers without the knowledge of the
IT department; they may have deployed multiple test systems on these cloud platforms – many of them no longer in use but still
in existence – and they may have backups of these test systems both online and on USB sticks. This would not really pose a
problem until it is paired with the fact than many developers break protocol and use real data in test systems.
Another problematic area is the increased use of third-party service providers for staff services, payroll, pensions and other
financial operations. These service providers have large amounts of sensitive data on an organisation’s staff and vendors. Given
that your organisation as a data controller, and the supplier as a data processor are jointly liable, the GDPR has big implications
for all parties.

8. 7
Are there Rules that Require Organisational Changes?
Compliance with the rules mentioned above may very well require changes within your organisation. But apart from those, both
data controllers and data processors are required to appoint a Data Protection Officer (DPO) who can be a member of the
organisation’s staff or can be contracted for services. The role of the DPO is in part to inform all relevant employees of their
obligations under the GDPR and to monitor the company’s compliance.
Not all companies are obligated to have a Data Protection Officer, but only those “controllers and processors whose core activities
consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special
categories of data or data relating to criminal convictions and offenses".
Not just anyone in your organisation can be appointed as the DPO however. It must be a person who is adequately resourced
and has “expert knowledge of data protection law and practices” and on the basis of their “professional qualities”. The GDPR
Guidelines say that the level of expertise “must be commensurate with the sensitivity, complexity and amount of data an
organisation processes” and that prospective DPOs “should have expertise in national and European data protection laws and
practices and an in-depth understanding of the GDPR.”
Also, the DPO is statutorily independent and protected. DPOs must be independent, avoid conflicts of interest and they cannot
receive instruction regarding the performance of their tasks. DPOs thus have protected employment status, meaning that
organisations cannot dismiss or sanction DPOs for performing their tasks. This means that the role of a DPO will be very different
from most employees or contractors that you already employ.
You can choose to outsource the DPO role to an external consultant. But the DPO must be “involved properly and in a timely
manner, in all issues which relate to the protection of personal data” and must have a reporting line to the board of directors,
which is an unusual setup for external contractors.
This means that you might not want to appoint a DPO unless you absolutely have to.
Key advice
▪ Look at all area of your organisation where data is written down, printed, scanned or created, and stored as digital
content
▪ Involve all business units and employees in the search for data stored outside core IT – including backup drives,
shadow cloud infrastructure, cabinets and drawers
▪ Use available data tracking and data deduplication technology to map out the location of data
•
•
Key advice
▪ Assess whether you are required to appoint a Data Protection Officer
▪ If needed, talk to the board of directors and to HR about the options for appointing a DPO

9. 8
What do we Need to do in Case of Data Breaches?
Companies are obligated to notify the supervisory authority within 72 hours of discovering the breach unless the breach is unlikely
to “result in a risk to the rights and freedom of individuals.” The notification must include specific information about the nature
of the data breach, the number, and type of breached records, the name of the Data Protection Officer, the measures taken to
mitigate the risks, and other details.
What about Enforcement and Fines?
The GDPR’s potentially hefty fines for non-compliance has gained a lot of attention. Fines on data controllers and processors for
non-compliance can range from up to EUR 10 million or 2% of a company’s worldwide annual revenue of the prior financial year,
whichever is higher. Fines for “upper level” non-compliance are potentially double that amount – EUR 20 million or 4% of the
worldwide annual revenue.
The actual size of a fine will depend on several factors, including the nature and intent of the infringement, mitigation and
preventative measures taken by the infringing party as well as, past history. But when looking at recent fines imposed for anti-
competitive behaviour in the online industry, it would not be a surprise if large GDPR fines were to be issued within the first year.
How fines will actually be enforced on companies outside the EU remains unclear at the moment. Fines are administered by
individual member state supervisory authorities. Fines are administered by individual member state supervisory authorities. But
if a non-compliant company has no or only a nominal legal or economical presence within the EU, such fines could prove
impossible to issue and collect.
The coming months will show how the EU plans to enforce the rules outside the EU.
The report is based on the analyst’s subject matter expertise on the area of coverage in addition to specific research based on interactions with technology buyers from
multiple industries and technology vendors, industry events, and secondary research.
The data findings mentioned in all Ecosystm reports are drawn from Ecosystm’s live and on-going studies on the Ecosystm research platform.
For more information about the Ecosystm research topics, visit www.ecosystm360.com.
Key advice
▪ Make sure you have the internal processes in place for notifying the correct authorities about breaches. This
could typically be the responsibility of the Data Protection Officer, but you need to make sure that he or she is
informed of all breaches
Key advice
▪ The ramifications of non-compliance can be potentially devastating for small to medium-sized companies. If you
think your company might be affected by the GDPR, the fines alone should compel you to take action to ensure
compliance