Are US companies subject to GDPR?
Ask yourself some basic questions – answering yes to any of these may mean that your company may be subject to GDPR:
- Do I transact business in the EU? Do I have a physical location in the EU, EU employees or do I transact business in an EU currency? All of these scenarios could indicate you “do business” in the EU
- Do I have a website that collects data from people within the EU? Do I perform data analytics on people who may have visited my website? Gathering someone’s IP information and retaining it could subject you to oversight.
- Do I have clients that are located in the EU?
- Do I have contacts or client prospects in the EU? Any personal information I retain on my prospects could be subject to the rule, and my marketing campaigns need to have a specific legitimate business reason to contact the individual, unless I have express consent. Also, do I retain anecdotal personal information about a spouse or family member?
- Could I receive an email that I would retain in my data base that includes PII, including just an identifiable email address?
- Do I import business data in any manner that originates from outside sources, not controlled by me? If so I may be receiving GDPR protected data.
There is another way that data is required to be protected. Businesses that are established in the EU must protect the data of all persons, whether they are residents of the EU or not.