How you may be misinterpreting GDPR

A privacy lawyer explains what US firms often get wrong about the regulation.

Ringfencing your European activity is harder than you think. US private equity firms think they can limit compliance to the tools and activities in Europe, says Brussels-based privacy lawyer Ruben Roex, “which often is not the case, given that often the internal systems are centralized.”

The definition of personal data is also broader than you think. “You do have personal identifiable information in the US as a concept, but it is far more limited than what we understand as personal data,” says Roex. “Often the client comes to us and says, ‘We don’t process any personal data, we’ve anonymized everything, because we’ve deleted the names and have no employee numbers for them, so we’re done.’ Well, under European law, just deleting the names and some identifiers such as numbers will not imply that the data is anonymized at all.”

You have to update contacts with suppliers everywhere, not just in Europe. “Even if your supplier is based in the US, or wherever in the world, it may be necessary to amend the contracts to make sure that they comply with what the GDPR says has to be in there.”