Many US businesses have avoided addressing compliance with the General Data Protection Regulation (GDPR) which took effect May 25, 2018. This is typically based on erroneous conclusions such as:
“We don’t do [much] business in Europe.”
“We don’t handle confidential data.”
“They can’t enforce that against us.”
We are recommending to our clients that they take a careful look not only at sales data to determine the need for compliance, but also where all third party information received or stored originates. The GDPR was specifically designed to allow EU citizens to “carry” their data protection laws to any jurisdiction in which data is distributed.
Therefore, if your company receives data from EU citizens, you may have obligations under the GDPR. For example, if you collect contact information on your website for follow up or sales and marketing leads from EU citizens – you have obligations. If you have a sales representative located in Europe and you exchange emails regarding their personal data – you have obligations.
These obligations include:
- Transmitting personal data securely (encrypted)
- Storing personal data securely and having policies to maintain its confidentiality
- Implementing standardized notification procedures in the event that confidentiality is breached
- Implementing procedures that ensure that personal data be deleted (or returned) upon request
- Implementing procedures that ensure destruction of personal data
This post was written by Barry Friedman.