> On May 23, 2018, at 11:05 AM, K. Scott Helms <kscotthe...@gmail.com> wrote: > > Yep, if you're doing a decent job around securing data then you don't have > much to be worried about on that side of things. The problem for most > companies is that GDPR isn't really a security law, it's a privacy law (and > set of regulations). That's where it's hard because there are a limited > number of ways you can, from the EU's standpoint, lawfully process someone's > PII. Things like opting out and blanket agreements to use all of someone's > data for any reason a company may want are specifically prohibited. Even > companies that don't intentionally sell into the EU (or the UK) can find > themselves dealing with this if they have customers with employees in the EU.
Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based website and orders something (or even just provides their PII)... but happens to be in a plane flying over an EU country at the time. Because GDPR doesn't talk about residence or citizenship, it talks only about a vague and ambiguous "in the Union", and I can certainly envision an argument in which the person in the plane claims that they were, technically, "in the Union" at the time. Anne Anne P. Mitchell, Attorney at Law GDPR Compliance Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Legislative Consultant CEO/President, Institute for Social Internet Public Policy Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Association Member, Cal. Bar Cyberspace Law Committee Member, Colorado Cyber Committee Member, Board of Directors, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Ret. Chair, Asilomar Microcomputer Workshop
