How does GDPR affect companies outside of EU?
A few EU based Insightly customers have raised questions regarding Insightly's GDPR readiness. So far we have not seen any concrete plans, just an assurance we will be compliant in time.
I am a little bit curious why this question has raised so little attention from US based customers. My understanding is that the GDPR regulation also applies for countries outside EU. The following text is from the official EU FAQ regarding GDPR https://www.eugdpr.org/gdpr-faqs.html :
Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.