As most are aware, the EU GDPR privacy rules specify data privacy regulations for websites, information about cookies and data ownership.
But what about working with data overseas where the end user is not directly involved?
What’s the best way to handle data and navigate data privacy laws when collaborating across the pond?
For example, if an entity in the EU wants help with a website, a mailing list, or a CRM setup from someone like me who is located in the USA, where I would have access to end-user email addresses and other information, do we need to do anything special? The answer is definitely YES. But the good news is that the steps are fairly simple.
There are a couple of options outlined in this highly informative article which covers a number of organization types and scenarios. The EU-based company can include language in their policies that end users agree to about overseas data processing, but often this is a one-off need where it end user consent is impractical to secure. These solutions assume that end users have not explicitly consented.
The second is for both parties in a transaction to sign a Standard Contractual Clause (SCC). Any kind of business can use this.
Here’s an example of the clause both my client and I would need to sign if they wished to hire me to work on a website or mailing list that collected personal information such as email addresses. For independent contractors with occasional overseas clients, this fits the bill better. It adds a small additional step to the contracting process, but the peace of mind and privacy protection it affords is more than worth the trouble.
Of course, if the systems where the data is handled lack up-to-date antivirus software, backup software, or insecure browser software, it’s not worth much, but the Standard Contractual Clause provides incentive to use every possible precaution to safeguard and responsibly handle the data involved.
Cross-pond collaboration raises interesting queries, but is more accessible than it may first appear when reading about the GDPR and admirably tight EU data protection laws.