Your business, we’ll call it Privacy Co., operates out of Kingston, you sell product almost exclusively to the United States and now a European Union (EU) privacy regulation is affecting the way you handle customer data? What gives?
So, Privacy Co. operates in Kingston and predominantly sells to the United States so the GDPR probably does not mean much to them, right? Well, last summer, the company attended trade shows all across Europe and amassed quite the email list. On top of this, the marketing team has decided to run targeted online ads in the countries that hosted them. Despite the fact that Privacy Co. has not actually made a sale to a European customer, the GDPR makes a valid assumption that since the Company is collecting personal data, the company also likely intends to sell to EU residents in the future. As such, the GDPR applies to Privacy Co., since it is “processing” data that belongs to EU residents. Processing has been given a broad definition and can include anything from storing personally identifiable data to using it for better informed forecasting models.
If you even slightly suspect that your company may be processing personally identifiable information from EU residents you will want to make sure you do the following, as soon as possible:
- Conduct an internal audit to ascertain what type of personal data you are collecting, what are you using the data for and where is the data coming from;
- Establish policies that govern how personal data is collected and used;
- Set up appropriate counter-measures and security checks to ensure that personal data is secure, (encryption and adequate technological safeguards are an essential part of the GDPR);
- Make data readily available to those entitled to view it, and continuously audit your efforts.