Posted: July 19, 2017
There has been much buzz circulating about the upcoming General Data Protection Regulation (GDPR). Yet, many organizations are still trying to figure out how it will actually apply to their business. Particularly US based companies.
The GDPR applies to US based companies who offer goods or services to EU data subjects and/or monitor the behavior of EU data subjects. For example, even if a company in the US is not actively marketing to EU data subjects, a scenario in which an EU data subject can visit the company’s website and purchase a product or service the GDPR will most likely apply.
US companies must also be aware that this is a fairly general application. The GDPR for example, does not spell out that it only applies if an organization is only conducting active marketing campaigns into the EU, just that the company is offering products and services to individuals residing in the EU.
In determining whether the company is offering goods or services to EU data subjects, regulators may consider whether the website has been translated to the local language or the currency has been converted to reflect that of the member state. Furthermore, if a company is monitoring the behavior of data subjects, the GDPR applies. Cookies can be utilized to monitor the behavior of someone visiting a company website and often collects personal data like the visitor’s IP address.
Companies based in the US must ensure they understand whether the GDPR applies. If not, they should specifically document the analysis outlining why that is the case. If the GDPR does apply, we recommend the organization begin preparing for the May 25, 2018 effective date now by performing data mapping, system inventory, data subject right applicability and exceptions and ensuring protection of the personal data they collect is adequate.
We understand compliance with these requirements can be difficult to manage. Please feel free to reach out to firstname.lastname@example.org for more information on the GDPR requirements, how to comply, or any other privacy, security or compliance matters.
Matt Dumiak is Senior Associate at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.