Scott, we at MoMA have also been assessing where we stand with GDPR as the fines could be pretty hefty if we have a compliance problem down the road. Your general understanding lines up with what we have found as well. If the transaction involves PII info of an EU citizen, then it is in scope. Processes and controls need to be in place, for example, to remove that data if requested by that person. If you are using cloud solutions it would be good to find out what those vendors are doing for GDPR. Also, if you are using any kind of auto calculation or AI based on info of that person, that too may be in scope. We are working with external counsel to help guide our direction on GDPR. Please reach out directly if you would like to chat further.
Diana On Feb 7, 2018, at 2:20 PM, Nik Honeysett <[email protected]> wrote: My understanding is that GDPR is enforced based on the location of the transactee at the time of the transaction, irrespective of where the server is. So, if someone buys something from your website from Blighty, then GDPR is in effect for you and their PII, but if that person physically buys from your store, then GDPR does not apply. -nik ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org M (805) 402-3326 P (619) 331-1974 E [email protected] < mailto:[email protected] <[email protected]>> 1549 El Prado, Suite 8, San Diego, CA 92101 A non-profit technology collaboration connecting audiences to art, culture & science. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Feb 7, 2018, at 11:15 AM, Sayre, Scott A <[email protected]> wrote: Nik- Thanks for chiming in. We have a significant customer-base (ecommerce, online/physical visitors and students) from the EU. Our read is that any transaction between a US organization and a citizen of the EU falls under the GDPR, even the transactions take place on a server here in the US. -Scott On 2/7/18, 12:35 PM, "mcn-l on behalf of Nik Honeysett" < [email protected] <mailto:[email protected] <[email protected]>> on behalf of [email protected] <mailto:[email protected] <[email protected]>>> wrote: Scott, Do you have a significant percentage of online sales or data capture in the EU? -nik ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org < http://www.bpoc.org/> M (805) 402-3326 P (619) 331-1974 E [email protected] < mailto:[email protected] <[email protected]>> < mailto:[email protected] <[email protected]> <mailto:[email protected] <[email protected]>>> 1549 El Prado, Suite 8, San Diego, CA 92101 A non-profit technology collaboration connecting audiences to art, culture & science. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Feb 7, 2018, at 8:54 AM, Sayre , Scott A <[email protected]> wrote: Hi Folks- We are in the early stages of preparing a strategy to comply with the May 28th deadline for complying the EU’s General Data Protection Regulations ( https://www.eugdpr.org/ <https://www.eugdpr.org/>). Hoping most of you are familiar with these requirements and may have some thoughts on how you will be responding to them. We are still working on defining requirements vs. recommended practices and how and when we will be able to address them. It appears this could affect our user data practices in e-commerce, blog, e-commerce (ticketing and retail), as well as CRM. I’d love to hear how others have begun to work on meeting these regulations and if you have found any external expertise to guide you through the process. Many thanks in advance. -Scott _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: [email protected] To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/ _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) To post to this list, send messages to: [email protected] < mailto:[email protected] <[email protected]>> To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l < http://mcn.edu/mailman/listinfo/mcn-l> The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/ < http://www.mail-archive.com/[email protected]/> _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) To post to this list, send messages to: [email protected] <mailto:[email protected] <[email protected]>> To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l <http://mcn.edu/mailman/listinfo/mcn-l > The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/ < http://www.mail-archive.com/[email protected]/> _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: [email protected] To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/ _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: [email protected] To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://www.mail-archive.com/[email protected]/
