GDPR question if we only market to North America
------------------------------
John Donald
Manager, Sales & Marketing Automation
Designs for Health
------------------------------
<%= block.description %>
<% } %><%= block.description %>
<% } %><%= block.description %>
<% } %>
Comments
2 comments
Hi @John Donald
A very important change in the GDPR that hasn't received the attention it deserves has do with the geographic scope of the new law.
To quickly summarise: Article 3 of the GDPR says that if you collect personal data or behavioural information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
The second point is that a financial transaction doesn't have to take place for the extended scope of the law to kick in. If the organisation just collects 'personal data' – EU-speak for what in the US is called personally identifiable information (PII) – as part of a marketing survey, then the data would have to be protected GDPR-style.
There's a useful complete article on this topic here.
On a personal note, even if you are North America-only today, I would suggest your company nevertheless considers whether you might one day expand to the EU; in which case, it might be just as well to put in place relevant GDPR processes now. But at the very least, you could implement in your form capture the ability for a person to set their country of residence/workplace, so you will always have a way to know which data protection laws are applicable to them.
------------------------------
Sion Stedman
Idox Software Ltd
------------------------------
-------------------------------------------
Original Message:
Sent: 04-17-2018 11:25
From: John Donald
Subject: GDPR question if we only market to North America
Does anyone know if we need to implement GDPR specs if our brand only markets within the USA and Canada? We do not market to Europe. However, I do see a few email addresses on our list in the UK. If some one randomly signs up from Europe does that mean we have to implement GDPR?
------------------------------
John Donald
Manager, Sales & Marketing Automation
Designs for Health
------------------------------
If you use Google Adwords and a French resident stumbles upon your webpage, the GDPR likely would not apply to the company solely on that basis. If, however, your website pursues EU residents – accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, provides translation in the language of an EU country, or markets in the language of an EU country, the GDPR will apply to your company.
If you choose to believe this then you're probably OK if you only market, sell, and ship to US based customers.
On a logical note it's hard to understand how a US based company that has no operations in Europe and does not market to Europeans located in Europe would be subject to European law. Or become interesting to an European agency. At some point I expect it could end up in courts to sort it out.
Does the GDPR Apply to Your US-based Company? | Lexology
------------------------------
Tod Cordill
Moderno Strategies
tod@modernostrategies.com
------------------------------
-------------------------------------------
Original Message:
Sent: 04-17-2018 11:49
From: Sion Stedman
Subject: GDPR question if we only market to North America
Hi @John Donald
A very important change in the GDPR that hasn't received the attention it deserves has do with the geographic scope of the new law.
To quickly summarise: Article 3 of the GDPR says that if you collect personal data or behavioural information from someone in an EU country, your company is subject to the requirements of the GDPR. Two points of clarification. First, the law only applies if the data subjects, as the GDPR refers to consumers, are in the EU when the data is collected. This makes sense: EU laws apply in the EU. For EU citizens outside the EU when the data is collected, the GDPR would not apply.
The second point is that a financial transaction doesn't have to take place for the extended scope of the law to kick in. If the organisation just collects 'personal data' – EU-speak for what in the US is called personally identifiable information (PII) – as part of a marketing survey, then the data would have to be protected GDPR-style.
There's a useful complete article on this topic here.
On a personal note, even if you are North America-only today, I would suggest your company nevertheless considers whether you might one day expand to the EU; in which case, it might be just as well to put in place relevant GDPR processes now. But at the very least, you could implement in your form capture the ability for a person to set their country of residence/workplace, so you will always have a way to know which data protection laws are applicable to them.
------------------------------
Sion Stedman
Idox Software Ltd
------------------------------
Original Message:
Sent: 04-17-2018 11:25
From: John Donald
Subject: GDPR question if we only market to North America
Does anyone know if we need to implement GDPR specs if our brand only markets within the USA and Canada? We do not market to Europe. However, I do see a few email addresses on our list in the UK. If some one randomly signs up from Europe does that mean we have to implement GDPR?
------------------------------
John Donald
Manager, Sales & Marketing Automation
Designs for Health
------------------------------
Please sign in to leave a comment.