As well as being applicable to organisations within the European Economic Area (EEA), the GDPR has an international reach – as does the UK Data Protection Act 2018 (DPA). Regardless of the location or place of establishment, it is possible that either piece of legislation applies to the activities of an organisation. For example, the DPA applies where personal data processed by an organisation (wherever located) relates to data subjects in the UK, and the GDPR applies where an organisation offers goods or services to individuals in the EEA (such as a UK-based e-commerce business selling goods to consumers in the EEA).
The need to comply with two different legal regimes sounds potentially onerous but, in many respects, the legal requirements are aligned between the GDPR and the DPA.
MacRoberts advises on the international aspects of data protection compliance, routinely assisting our UK-based clients in relation to international data transfers, as well as organisations outside the UK and EEA on compliance with data protection requirements in connection with their activities in the UK and the EEA.