0

Sorry if the title is a bit confusing. I'll try to rephrase: GDPR obviously improves transparency and protective services in global service providers/vendors that involve users in the EU. I can see how transparency about data management would benefit all end users (both those that reside in the EU and those that don't). But does GDPR require companies to protect non-EU user data using the exact same measures as if the user resided in the EU?

I'd like to think that as a US-based user of a global company, I'm receiving the same exact rights as EU users under the protection of GDPR (because it would be difficult/risky/silly for a company to try to lessen security for some regions) but I'm not so sure. Could a company technically place some regional data at more risk while still adhering to GDPR guidelines?

Mike B
  • 3,336
  • 4
  • 29
  • 39
  • Is this not more of a legal question rather than an InfoSec one? I realise that the boundaries are quite hard to distinguish but to me, this seems very law based rather than technical based. Specifically `Could a company technically place some regional data at more risk while still adhering to GDPR guidelines?` –  May 31 '18 at 15:01
  • 1
    Note that the real impact of GDPR cannot be known now. It'll be months and probably years before the situation is really clear (let's wait for the first lawsuits). For now, most services are just *pretending* they are compliant. For example, this website, stackexchange, has a cookie notice that is totally illegal, lacking meaningful and explicit consent before activating all their tracking code, which is injected in the page by default. – reed May 31 '18 at 16:08

2 Answers2

1

As far as the GDPR is concerned, the protections are only afforded to EU residents. As to what organisations are willing to do, it really depends on the organisation, and what concerns one might have with regards to security, implementation, and costs.

Nick Toumpelis
  • 111
  • 3
1

You definitely are NOT getting the same rights as an EU citizen, e.g. you cannot sue a company for not doing something for you that the GDPR requires. It's entirely up to a company whether or not to treat non-EU persons the same as EU persons. My guess is that most will not as it's not in the company's best short term interest to do so (e.g. it costs money to comply with requests for personal data, to be forgotten, etc.). Even if companies do comply with such requests it doesn't mean they will hold themselves to the same time frames

However, that doesn't mean you're not benefiting from GDPR. Most companies do not segregate data by the customer's country/jurisdiction today (though it is becoming more common) so protections against data breaches to databases for EU persons should generally benefit non-EU persons as well.

Swashbuckler
  • 2,115
  • 8
  • 9