Client Alert: Stop the Madness. Do you really need to comply with the GDPR?
By Stephanie O. Sparks | 05.1.2018 | Client Alerts
The new European General Data Protection Regulation, or “GDPR” has created a lot of buzz and confusion about what companies that collect or handle personal data from the EU should do to protect their data.
With the May 25, 2018 deadline fast approaching, many of these companies are asking their existing service providers and business partners to sign new Data Protection Agreements or “DPAs”. Those who sign would be contractually bound to comply with provisions of the GDPR.
In some cases, large multinational corporations will send out hundreds or even thousands of these template DPAs. Given the complexity of the GDPR, though, many of these large companies simply send the DPA to all their service providers without much thought as to whether those service providers are actually processing any EU data at all.
Just because you’ve been asked to sign a DPA doesn’t mean that your operations or services are necessarily under the purview of the GDPR. Before you sign that DPA, stop and think whether your company actually handles any personal data from the EU, or whether you will ever have such data in the first place.
For example, a payroll provider based in the US that provides payroll services exclusively for US-based companies is unlikely to ever handle personal data from the EU. Why should this company be forced to comply with the burdensome requirements of the GDPR? The answer is that they may not have to. Compare that payroll provider to a small US-based IT Help Desk that provides support services for a US-based consultancy with a satellite office in Berlin. Even though the IT Help Desk is based in the US, does most of its business in the US and has no EU employees, the fact that a Berlin-based consultant may request remote assistance means that the GDPR (and therefore a DPA) may apply.
Much is still unknown about the GDPR and how European regulators will approach enforcement of its terms. What is clear, though, is that fear of the unknown has burdened many smaller US-based companies and service providers that may otherwise be outside the scope of the GDPR. Before signing a DPA, ask whether the GDPR actually applies to your activities.
