We recently ran a webinar titled, “Why should North American organizations comply with the GDPR?” to help these entities better understand the EU GDPR (General Data Protection Regulation) and learn why they should comply. It ended with our presenter answering some questions from the audience, which we’ve brought together here for you.
Q: I host a small website in North America that doesn’t get many page views. If an EU resident views it, do I have to comply with the Regulation, particularly if it saves some information such as the IP address?
A: No. Just because it is possible that an EU resident may stumble upon your website does not mean the GDPR strictly applies. However, if you start marketing to EU residents, selling products to them, or monitoring their behavior online, the answer changes to “Yes,” and GDPR would likely apply.
Q: We are a US-based hospital and EU residents might wind up in our ER. Are we subject to the GDPR?
A: Follow your hospital’s standard procedures, especially in regards to HIPAA. If your hospital begins selling services to EU residents – for example by telling them that if they are working, studying, or visiting the US and need medical treatment, then they should come to your facility – you need to comply with the GDPR.
Q: If I do not do any business or transactions with EU residents, or there is no information exchange, does it mean I don’t need to comply with the GDPR?
A: Possibly. But remember, if you’re collecting their personal information, you must comply.
As of May 25, 2018, any organization processing and storing EU residents’ personal data, irrespective of the organization’s location or where the data is processed, must comply with the GDPR. Per Andrew Frank, analyst, Gartner,“The penalties associated with breaches of the GDPR law are considerably higher than any [security breach] PR problem.”
To help North American organizations comply with the Regulation, IT Governance recently began offering the GDPR EU – Representative Service. The EU Representative Service provides an EU representative for organizations without a physical presence in the EU, helping them adhere to Article 27 of the Regulation. Speak to a GDPR expert to find out more.