GDPR: Impacts on American Firms without EU Clients

By Tim Buckler

Digitally rendered diagonal composition of modern building facades with glazed aluminum structures.

Confirmation that your firm does not hold any EU resident’s (“data subjects”) data is the first step in complying with the new General Data Protection Regulation (“GDPR”), effective May 25, 2018.  There will still be some decisions and changes awaiting you.  Firms without any EU residents’ data will be impacted in three main ways:

  1. deciding if the firm will have EU clients in the future and updating your data processes and documentation accordingly;
  2. changes in mass marketing practices; and
  3. processes for tracking and retaining website use data.

Potential Future EU Clients

Your firm must determine if it wants to have any EU clients in the future.   All requirements of GDPR must be met before a firm can receive any EU resident’s (“data subject’s”) data.  Determining if you want to hold EU resident data and having all the appropriate protections in place must be done before you receive that data.  If it is too burdensome, then your firm will need to include processes and documentation that proves all incoming data is not related to an EU resident.  This will include changes to client on-boarding, new account opening and any other instance where data is received.

Mass Marketing Practices

Firms will also need to assess their mass marketing practices.  GDPR protects data holders from receiving mass marketing without informed consent.  Most mass marketing email lists were not created with informed consent and firms cannot normally positively identify the residency of the receiver of the email.  In practice, this will mean that all mass marketing done after May 25thshould only be sent to email addresses that have given consent.  Your firm will need to either remediate the lack of consent or simply delete the email address from its mass marketing mailing list. All email addresses of confirmed, non-EU resident clients are exempt from GDPR requirements.

Website Data Tracking

Firms that have a website will need to adapt how they track website visitors.  GDPR protects data holders’ IP addresses and cookie data.  This means that any visitors to your site should be prompted with consent verification if you retain IP addresses or use cookies.  Firms need to ensure that any processing they do with data without consent has been properly anonymized.

How Oyster Can Help:

Oyster Consultants can assist firms in determining the strategic value of accepting EU residents as clients, updating data processes and documentation including onboarding and new account opening, developing processes for changes in mass marketing practices, assess the implications of tracking and retaining IP addresses and cookies, and provide a cybersecurity review.

About The Author
Photo of Tim Buckler

Tim Buckler

Tim Buckler has spent 10 years in the financial services industry, with a focus on project management, cybersecurity, data analysis, and compliance. Tim’s experience includes project management support for clearing platform conversions, cybersecurity assessments, GDPR and CCPA assessments, performing 12b-1 Mutual Fund fees analysis for regulatory initiatives, and ownership changes for custodial IRA held annuities.