Data Protection and GDPR for International Companies

Why data protection matters for incorporated companies

Any company that collects personal data — customer names, email addresses, payment information, IP addresses, browsing behaviour — has data protection obligations. These obligations exist regardless of where the company is incorporated. What matters is where your customers or users are located.

The primary data protection frameworks relevant to international businesses:

GDPR (General Data Protection Regulation): EU regulation effective from May 2018. Applies to any organisation that processes personal data of EU residents, regardless of where the organisation is incorporated.

UK GDPR: Post-Brexit, the UK retained an equivalent framework called UK GDPR (plus the Data Protection Act 2018). Applies to organisations processing personal data of UK residents.

CCPA (California Consumer Privacy Act): US state law. Applies to companies doing business in California above certain thresholds (revenue >$25M, or processing data of >50,000 California consumers/year, or deriving >50% revenue from selling California consumer data).

PDPA (Personal Data Protection Act): Singapore. Applies to organisations collecting, using, or disclosing personal data of Singapore individuals.

PDPL (Personal Data Protection Law): UAE Federal Law No. 45 of 2021. The UAE's national data protection framework, modelled partly on GDPR. Came into effect September 2021.

LGPD (Lei Geral de Proteção de Dados): Brazil's data protection law, effective from September 2020. Applies similarly to GDPR.

GDPR — the essential requirements for international businesses

If you process personal data of EU residents (even just collecting email addresses from an EU-based mailing list), GDPR applies to you.

Key requirements:

1. Lawful basis for processing You must have a lawful basis for every type of personal data processing:

• Consent: The data subject has given clear, specific, informed, and freely given consent.
• Contract: Processing is necessary for the performance of a contract with the data subject.
• Legal obligation: Processing is required to comply with a legal obligation.
• Legitimate interests: Processing is necessary for your legitimate interests (or those of a third party), provided these are not overridden by the individual's interests.

For marketing to existing customers: legitimate interests or contract may apply. For unsolicited marketing to new contacts: consent is typically required.

2. Privacy notice (Privacy Policy) When you collect personal data, you must provide a privacy notice explaining: who you are (company details), what data you collect, why you collect it (lawful basis), how long you keep it, who you share it with, what rights the data subject has, and whether you transfer data outside the EEA.

3. Data subject rights EU residents have the right to:

• Access their data (Subject Access Request)
• Correct inaccurate data
• Erasure ("right to be forgotten" — in certain circumstances)
• Data portability (receive data in a machine-readable format)
• Object to processing
• Rights related to automated decision-making

You must be able to respond to these requests within 1 month.

4. Data security Appropriate technical and organisational measures to protect personal data. For most small businesses: strong passwords, two-factor authentication, encrypted data transmission (HTTPS), and secure storage.

5. Breach notification If you suffer a personal data breach (accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access), you must notify the relevant supervisory authority within 72 hours if the breach is likely to result in risk to individuals. If the risk is high, you must also notify the affected individuals.

6. Data transfers outside the EEA Personal data of EU residents can only be transferred to countries outside the EEA that the EU Commission has determined provide "adequate protection," or where you have implemented appropriate safeguards:

• Standard Contractual Clauses (SCCs): GDPR-approved contract clauses between you and your data processor/recipient
• Binding Corporate Rules: For intra-group transfers
• Adequacy decisions: Countries with adequacy status include: UK, Switzerland, Japan, South Korea, Israel, Canada (partial), New Zealand, Argentina, and others

7. Data Protection Officer (DPO) Required if: you're a public authority, or your core activities consist of systematic and large-scale monitoring of individuals, or your core activities involve large-scale processing of special category data. Most SMEs do not need a DPO.

8. GDPR Representative in the EU If you are a non-EU company processing EU personal data without an EU establishment, you must appoint a GDPR representative based in an EU member state (to act as a point of contact for supervisory authorities and data subjects). This is required if processing is "not occasional." Many small businesses ignore this requirement — enforcement is increasing.

Practical GDPR compliance for small businesses

Step 1: Audit what data you collect List every type of personal data your business collects — email addresses, names, payment information, IP addresses, cookies, etc. Map where it comes from, what you do with it, and who has access.

Step 2: Update your privacy policy Write a clear, plain English privacy policy covering all GDPR-required information. Place it prominently on your website. Do not copy someone else's policy — it must accurately reflect your specific data practices.

Step 3: Consent management (if you use marketing) If you email a newsletter: use an opt-in (not opt-out) mechanism. Keep records of when and how consent was obtained. Use a reputable email service provider (Mailchimp, ConvertKit, Klaviyo) with built-in compliance features.

Step 4: Cookie consent If your website uses tracking cookies (Google Analytics, Facebook Pixel, advertising cookies): implement a cookie consent banner that gives visitors a genuine choice before cookies are set. Non-essential cookies (analytics, advertising) require opt-in consent.

Step 5: Processor agreements If you use third-party services that process personal data on your behalf (email providers, CRMs, payment processors, cloud services), you must have a Data Processing Agreement (DPA) with each. Most major services (Google, Stripe, Mailchimp) provide standard DPAs — sign them.

Step 6: Security measures Enable HTTPS on your website. Use strong, unique passwords and a password manager. Enable two-factor authentication everywhere. Regularly update software and plugins. Do not store credit card numbers.

Fines and enforcement

GDPR fines are tiered:

• Tier 1: Up to €10M or 2% of global annual turnover (whichever is higher) for less serious violations (inadequate records, failure to notify breach, etc.)
• Tier 2: Up to €20M or 4% of global annual turnover for serious violations (unlawful processing, violation of data subject rights, illegal international transfer, etc.)

For small businesses, enforcement to date has focused on larger companies. But supervisory authorities across the EU have issued fines to SMEs for cookie consent violations, lack of privacy notices, and marketing consent failures.

UK GDPR: equivalent fines under the UK regime (£17.5M or 4% of global turnover maximum).