Which businesses will be affected?
Broad categories of the business relationships affected are:
Island business to EU customers
Island businesses that offer goods or services to, or monitor the behaviour of, individuals resident in the EU and process their personal data “wholly or partly by automated means” will be subject to the GDPR.
“The offering of goods and services” is not defined but, given the extensive scope and broad definitions of the GDPR, it should be considered in its widest interpretation in line with the intention of the GDPR. Guidance is provided in Recitals 23-24 of the GDPR.
To determine whether a business is offering goods or services, the following should be considered:
“the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, and/or the mentioning of customers and users who are in the Union”.
In respect of “monitoring”, it should be ascertained
“whether individuals are tracked on the Internet including potential subsequent use of data processing techniques which consist of profiling an individual, particularly in order to take decisions concerning her or him for analysing or predicting her or his personal preferences, behaviours and attitudes”.
Island business to EU businesses
EU businesses must ensure that any personal data transferred to a controller or processor in the Island complies with the GDPR. Failure to do so would risk sanctions, including a substantial fine.
The transfer, or sharing, of personal data inward to the Island from an EU controller or processor will be affected. Compliance with the GDPR will be a matter for the EU business to determine, but if the Island business is unable to evidence compliance it is unlikely that the transfer will occur and/or the business may be lost.