By Tim Buckler
GDPR – Do You Know Your EU Clients and Are You Ready to Protect Their Data?
General Data Protection Regulation (“GDPR”), a European Union (“EU”) regulation meant to protect the rights and data of EU residents (“data subjects”), comes into effect on May 25, 2018. This regulation protects the data of EU residents regardless of who holds the data or where that data is held.
Will GDPR affect my firm?
All firms, regardless of where they are in the world, must determine whether they hold any data corresponding to a data subject (EU resident). Many American firms believe that not having any clients with EU residency alleviates them of needing any remediation; however, most American firms will be affected by GDPR, especially if they do mass marketing. Firms conducting mass marketing will need to remediate their email lists to GDPR standards or delete the emails from their list.
How do I know if my clients are EU residents?
This will require a search of not only current clients, but also previous clients, and if any data coincidentally corresponds to a data subject. GDPR protects all EU residents regardless of their nationality.
What am I required to do?
Ultimately, GDPR requires firms to be able, at any time, to:
- identify all data that pertains to data subjects;
- know where that data is held;
- how the firm received the data;
- know how the firm uses the data;
- know which third parties have access to that data and how they use that data;
- know how and when the data subject consented; and,
- be able to deliver, cease processing, or delete the data at the request of the data subject.
How Oyster Can Help:
- Establish/implement initial and ongoing procedures to identify data subjects and the data attached to them
- Determine if your firm’s practices require the appointment of a Data Protection Officer (DPO)
- Draft policy and procedure enhancements
- Test to determine if the actual practices meet what is stated in policies and procedures
- Ensure data protection measures meet the standards of GDPR
- Establish procedures to ensure data subjects provide informed consent to use the data with regard to mass marketing via email