By this point, you are most likely aware of the General Data Protection Regulation (GDPR) on some level. In short, the GDPR is a set of regulations that protect personal data from the EU and tightens the rules on how individuals and organizations around the world collect, process, and store that data. But what happens if your business is located in North America—will it affect you? The quick answer is yes.

In a recent Q&A during our webinar, How The EU’s New GDPR Requirements Affect North American Companies, I covered the basics of the GDPR, how it applies to North American companies, and the initial steps you should take to evaluate your website and digital operations for compliance.

So, if you're looking for answers to your burning GDPR questions, look no further.


Question and Answer

Q: Does web contact require the EU citizen to be a "resident" or physically located in the EU?
A: The GDPR covers personal data that is processed in the EU. This includes any personal data that is being sent from an EU IP address.

Q: What about employees who are EU citizens but reside in USA?
A: As written, the GDPR covers personal data that is “processed” in the EU. If the personal data is not coming from the EU (but rather from the USA), then the GDPR does not apply.

Q: Is ANY personally identifiable data considered personal data?
A: Yes. That means images, email addresses, phone numbers, etc.

Q: Can Right to Erasure (right to be forgotten) be fulfilled by randomized encryption?
A: If personal data is permanently changed to a randomized format that cannot be reversed – also referred to as anonymization – it can be argued that such personal data has been “forgotten”.

Q: If you are a US-based company, how is compliance audited?
A: If a complaint is received by a data authority located in the EU country where the personal data is processed, that data authority may audit. There is not clarity on what methods they might use.

Q: What if you do not know that a customer is an EU citizen (dual citizen, US address, etc.)? Can you still be held responsible for GDPR?
A: Yes, as long as the personal data is coming from the EU, you are subject to complying with the GDPR.

Q: If you are HIPAA compliant with data, are you GDPR compliant?
A: Not necessarily. The reason is that HIPAA (Health Insurance Portability and Accountability Act) only pertains to protected health information (PHI) and the personal data definition in GDPR is much broader. While you can certainly implement HIPAA protections on that personal data, it might be a bit overkill since personal data includes names, email addresses, phone numbers, etc.

Q: Our company uses third-party advertising for lead generation. What are our responsibilities as a processor of this data that was collected and shared through the third-party source? 
A: If those leads collected include EU addresses, you might be considered a data controller since you decide what to do with those leads. This fact subjects you to controller responsibilities under the GDPR, which include verifying that the personal data has been properly collected (e.g. with consent, etc.).

Q: Is the GDPR relevant for business to business relationships?
A: The GDPR is very relevant to B2B. As discussed, personal data is not defined by personal life versus business life. Therefore, the email of a business contact in the EU is still considered personal data under the GDPR.

Q: What do you feel is the largest challenge to becoming compliant that you've seen so far.
A: To date, the biggest challenge has been identifying all the dataflows. However, starting with the primary flows and fleshing those out has helped significantly.

Q: Does GDPR only affect external-facing websites or does it also include internal websites that are password protected?
A: The GDPR is all about personal data—wherever it exists. This means that external websites, internal websites, databases that are isolated from the internet, etc. are all covered under the regulations.

Q: We use Google Analytics to track visitors to our website. What are our responsibilities under the GDPR?
A: We can’t give legal advice but, based on the facts that you have provided, you will need to identify what personal data you are collecting in your analytics (remember IP addresses located in the EU are personal data) and disclose that information in your privacy policy along with the who, what, where, when, and why for use of that data. 

Q: How will unsubscribe lists (ex: newsletters) work if the information is requested to be removed? Are we able to maintain the information so that our own records for do-not-contact lists are correct?
A: Maintaining such information for purposes of ensuring continued compliance with the right to be forgotten is permissible if there are documented processes in place that explain why the data is being retained for that one purpose.  

Q: Should we be concerned about obtaining GDPR compliance certificates/statements before contracting with companies in the EU who may store our company's PII (Personally Identifiable Information) or our customer's PII?
A: The GDPR does not apply to US PII – only EU-based. In the event that you have personal data from the EU, you (as a controller for your personal data or processor for your customer’s personal data) need to ask your EU vendors what they are doing to comply with the GDPR and you need a written agreement in place setting forth the data processing limitations and protections available to the data subjects. This agreement is referred to as a Data Processing Agreement or DPA.

More GDPR Resources

For more on how GDPR affects North American companies, check out these free resources: