GDPR: Impacts on American Firms without EU Clients

Confirmation that your firm does not hold any EU resident’s (“data subjects”) data is the first step in complying with the new General Data Protection Regulation (“GDPR”), effective May 25, 2018.  There will still be some decisions and changes awaiting you.  Firms without any EU residents’ data will be impacted in three main ways:

  1. deciding if the firm will have EU clients in the future and updating your data processes and documentation accordingly;
  2. changes in mass marketing practices; and
  3. processes for tracking and retaining website use data.

Potential Future EU Clients

Your firm must determine if it wants to have any EU clients in the future.   All requirements of GDPR must be met before a firm can receive any EU resident’s (“data subject’s”) data.  Determining if you want to hold EU resident data and having all the appropriate protections in place must be done before you receive that data.  If it is too burdensome, then your firm will need to include processes and documentation that proves all incoming data is not related to an EU resident.  This will include changes to client on-boarding, new account opening and any other instance where data is received.

Mass Marketing Practices

Firms will also need to assess their mass marketing practices.  GDPR protects data holders from receiving mass marketing without informed consent.  Most mass marketing email lists were not created with informed consent and firms cannot normally positively identify the residency of the receiver of the email.  In practice, this will mean that all mass marketing done after May 25thshould only be sent to email addresses that have given consent.  Your firm will need to either remediate the lack of consent or simply delete the email address from its mass marketing mailing list. All email addresses of confirmed, non-EU resident clients are exempt from GDPR requirements.

Website Data Tracking

Firms that have a website will need to adapt how they track website visitors.  GDPR protects data holders’ IP addresses and cookie data.  This means that any visitors to your site should be prompted with consent verification if you retain IP addresses or use cookies.  Firms need to ensure that any processing they do with data without consent has been properly anonymized.

How Oyster Can Help:

Oyster Consultants can assist firms in determining the strategic value of accepting EU residents as clients, updating data processes and documentation including onboarding and new account opening, developing processes for changes in mass marketing practices, assess the implications of tracking and retaining IP addresses and cookies, and provide a cybersecurity review.

For more information about the GDPR or how Oyster Consulting can help your firm, download our blogs and webinar below:

Blogs:

GDPR: Impacts on American Firms without EU Clients – March 15, 2018

GDPR – Do You Know Your EU Clients and Are You Ready to Protect Their Data? – February 27, 2018

Webinar:

GDPR: Are You Protecting Your Clients’ Data?  – April 10, 2018

Or, you can complete our contact form below or call (804) 965-5400 and one of our Relationship Managers will be happy to assist you.

GDPR Download Form
First
Last

LinkedIn
RSS
Facebook
Facebook
Twitter
Visit Us
Google+
Google+

LEAVE A COMMENT