Much has been written about the GDPR, or the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, in the last 12 months. Whilst described by the ICO (the UK’s data protection regulator) as an “evolution” rather than a “revolution” it has significant impacts on how businesses regulate the flow and use of data internally and also in respect of customers and potential customers. Early stage businesses may find themselves in a better position relative to large corporates, in that their smaller size and agility will enable them to transition to GDPR compliant systems more easily than larger organizations (who perhaps are still working with older systems).
A US subsidiary of an EU-based business will still be caught by the GDPR, as its provisions apply to any EU citizen or EU based employees or consultants engaged by the business, together with details of any EU citizen or EU based directors, shareholders or loan note holders the business may have. Businesses will need to review their systems and policies to ensure that their ‘internal’ house is in order, as well as ensuring that their ‘external’ dealings with customers, suppliers, and marketing targets are compliant.