GDPR
Out of context: Reply #16
- Started
- Last post
- 25 Responses
- shoes0
The framing and most of the arguments in the IAPP article are phish.
GDPR does not have a territorial scope. GDPR applies universally as soon as you fuck with personal data ("PII") of a EU citizen (or EU visitor). And fucking with in this case specifically means processing PII that you get from 3rd parties, irrespective of business type, industry, language, location, currency, etc.
I think what the author is trying to do is some kind of risk assesment or guideline to assert if an org outside of the EU should bother looking into compliance or ignore GDPR alltogether. From that perspective the piece makes sense at times, but still not much.
Since your clients are asking you instead of their DPO or legal counsel, I would assume that they're not large enough fish to warrant prosecution by the euro authorities, so perhaps the cost of compliance doesn't make sense from a risk/reward perspective (which doesn't mean that they're not technically subject and in breach of GDPR).
I agree with Kevin Kish's disclaimer that if in doubt you should get the take of a lawyer.
- ^ technically even an IP adress can be PII, depends on what they do with it (storage wise, etc.)shoes
- "GDPR does not have a territorial scope."
But "territorial scope" is a term pulled directly from the law itself.yuekit - The question is what the second criterion, "monitors the behavior of EU citizens", actually refers to. Is simply collecting anonymous IP addresses monitoringyuekit
- behavior, or would it have to be something more like Google and FB creating a behavioral profile on you?yuekit
- It's about as clear as mud right now which is why this is such a ridiculous law. They really need to clarify what it covers.yuekit