The GDPR impacts any business that engages with individuals or other businesses located within those boundaries.
In a nutshell, your “data footprint” is the total geographical area in which your customers’ data is stored and processed.
For example, let’s say you run an online fashion store headquartered in the USA, serving an international customer base. While your business may be based in USA, your eCommerce website could be hosted on servers located in the UK, while collecting personal information such as names, residential addresses and credit card details from customers all around the world.
You might also run digital marketing campaigns that target and track new customers while they visit your website and browse the web. Let’s say your marketing platform is provided by a Canadian company that hosts and processes data on your behalf using a remote data centre located in Singapore.
You can see where this is going. Your data footprint in this case — the total geographical area your data touches (as far as you know) — includes USA, Canada, Singapore and the UK.
Different regions have different laws surrounding privacy — laws that may apply to the data your business controls. While your customers’ personal data may be well protected in one country, it’s hard to guarantee the same level of protection elsewhere.
Going back to the example above, even if you only serve customers within the US and Canada, the UK servers that host your website still fall within the European Economic Area (at the time of this article). Which means your business is subject to the GDPR.
Which means you’d need to be aware of the privacy implications within your data footprint, and what that means for how you process and transfer your customers’ data. As an example, moving this information from a server in a higher-protection region to a lower-protection region may be considered non-compliant under GDPR ruling.
Likewise, the current measures you take to secure data may be considered inadequate by another country, requiring you to improve your privacy practices if you choose to do business in this region.
In today’s increasingly globalised economy, GDPR-compliant privacy practices can have many moving parts. To keep your customers informed about how their personal data is protected, and to lessen the likelihood of legal backlash for your business, we always advise including information about your data footprint in your policy.