GDPR – Do You Know Your EU Clients and Are You Ready to Protect Their Data?

General Data Protection Regulation (“GDPR”), a European Union (“EU”) regulation meant to protect the rights and data of EU citizens (“data holders”), comes into effect on May 25, 2018.  This regulation protects the data of EU citizens regardless of who holds the data or where that data is held.

Will GDPR affect my firm?

All firms, regardless of where they are in the world, must determine whether they hold any data corresponding to a data holder (EU citizen).  Many American firms believe that not having any clients with EU citizenship alleviates them of needing any remediation; however, most American firms will be affected by GDPR, especially if they do mass marketing via email.  Firms conducting mass mailings via email will need to remediate their email lists to GDPR standards or delete the emails from their list.

How do I know if my clients are EU citizens?

This will require a search of not only current clients, but also previous clients, and if any data coincidentally corresponds to a data holder.  GDPR protects all EU citizens regardless of their residency.  Firms must also ensure that they properly account for any clients potentially having dual citizenship with an EU country or being EU citizens residing in non-EU countries.

What am I required to do?

Ultimately, GDPR requires firms to be able, at any time, to:

  • identify all data that pertains to data holders;
  • know where that data is held;
  • know how the firm uses the data;
  • know which third parties have access to that data and how they use that data;
  • know how and when the data holder consented; and,
  • be able to deliver or delete the data at the request of the data holder.



How Oyster Can Help:

  • Establish/implement initial and ongoing procedures to identify data holders and the data attached to them
  • Determine if your firm’s practices require the appointment of a Data Protection Officer (DPO)
  • Draft policy and procedure enhancements
  • Test to determine if the actual practices meet what is stated in policies and procedures
  • Ensure data protection measures meet the standards of GDPR
  • Establish procedures to ensure data holders provide informed consent to use the data with regard to mass marketing via email


GDPR is a complicated regulation with many implications for how your firm will have to structure and protect its data.  Oyster will be posting additional blog posts that will address further areas of concern.

For more information about GDPR and how Oyster can help your firm be ready for its implementation in May, complete our contact form or call (804) 965-5400 and one of our Relationship Managers will be happy to assist you.