We were asked recently: “Have you any practical advice to US MR firms who don’t have an EU presence but may unintentionally be housing EU data (e.g., somebody gives me a sample of customers and some of those folks are in the EU)?  We’ve got our US Privacy Shield in place but not sure that’s enough.” Dr Michelle Goddard, Director of Policy & Communication, EFAMRO, answers: The scope of GDPR responsibilities depends on role played and whether the agency is acting as a data controller or data processor. In this case where the sample has been passed by the client then the client is likely to be the data controller and the agency the data processor. From this it follows that:-
  • Obligation is on the agency as the data processor to advise the data controller client that they may be holding and processing EU data so that the client can exercise any obligations/responsibilities that they may have regarding this.
  • EU-US Privacy Shield is currently an adequate mechanism for transferring/processing personal data of EU residents so agency can provide assurances around security etc of data but the client has lead responsibility for ensuring compliance with GDPR
Interested in more GDPR advice? Check out these two webinars given by Dr Michelle Goddard on the topic: Webinar: EU Data Protection Reforms: Ten Things Researchers Should Know Webinar: EU Data Protection Reforms: Some practical compliance steps      

RELATED ARTICLESMORE FROM AUTHOR