Scott, Thanks for starting this discussion, this topic also interests me because the Petersen Museum here in Los Angeles, CA also has a few EU transactions online and on-site.
For our case, I am assuming since we are using Shopify for our e-commerce and point of sale, this will be handled by Shopify ( https://help.shopify.com/manual/your-account/GDPR) but assuming the API integrations with our CRM (Shopify <—> CRM) and other reporting process will have to be double checked. Also the rules do seem a little mirky, although we do not have an EU base, we do however accept EU transactions, which sounds like GDPR would apply to us. Best regards, Mark *Mark Mangoba | Technology Consultant | Petersen Automotive Museum* | Technology & Innovation | mmang...@petersen.org | Technology Help Desk: t...@petersen.org | Supervisor: arosa...@petersen.org (Director) | petersen.org | https://github.com/markmangoba On Wed, Feb 7, 2018 at 12:38 PM, Nik Honeysett <nhoneys...@bpoc.org> wrote: > Hmm, still very skeptical that “territoriality" applies here: processing is related to the “monitoring” in the EU of the “behavior” of data subjects as their behavior takes place within the EU - from a much more informed interpretation which seems to indicate also that unless we are proactively selling to an EU country, we’re not under GDPR: > > https://wp.nyu.edu/compliance_enforcement/2017/12/11/the-general-data-protection-regulation-a-primer-for-u-s-based-organizations-that-handle-eu-personal-data/ > > Interested to understand how various legal counsels in interpret this though. > -nik > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org > > > M (805) 402-3326 P (619) 331-1974 E nhoneys...@bpoc.org <mailto: nhoneys...@bpoc.org> > 1549 El Prado, Suite 8, San Diego, CA 92101 > > A non-profit technology collaboration connecting audiences to art, culture & science. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > >> On Feb 7, 2018, at 11:40 AM, Sayre, Scott A <sayr...@cmog.org> wrote: >> >> Nik- >> I unfortunately think that is the case. >> https://securityintelligence.com/news/us-firms-have-less-than-a-year-to-comply-with-the-gdpr/ < https://securityintelligence.com/news/us-firms-have-less-than-a-year-to-comply-with-the-gdpr/ > >> https://www.informationweek.com/strategic-cio/security-and-risk-strategy/7-steps-to-gdpr-for-us-companies/a/d-id/1329235? < https://www.informationweek.com/strategic-cio/security-and-risk-strategy/7-steps-to-gdpr-for-us-companies/a/d-id/1329235 ?> >> >> Diana- >> Thank you. I'll reach out after we have a couple more meetings here. Lets share what we discover as we go along. >> >> Best, >> Scott >> >> On 2/7/18, 2:34 PM, "mcn-l on behalf of Nik Honeysett" < mcn-l-boun...@mcn.edu <mailto:mcn-l-boun...@mcn.edu> on behalf of nhoneys...@bpoc.org <mailto:nhoneys...@bpoc.org>> wrote: >> >> James - I don’t think that is right otherwise every business in the U.S. would be potentially liable. >> -nik >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org < http://www.bpoc.org/> >> >> >> M (805) 402-3326 P (619) 331-1974 E nhoneys...@bpoc.org <mailto: nhoneys...@bpoc.org> <mailto:nhoneys...@bpoc.org <mailto:nhoneys...@bpoc.org >> >> 1549 El Prado, Suite 8, San Diego, CA 92101 >> >> A non-profit technology collaboration connecting audiences to art, culture & science. >> >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> >> >> >>> On Feb 7, 2018, at 11:31 AM, Sayre, Scott A <sayr...@cmog.org> wrote: >>> >>> Agree on both accounts. We do sell products, classes, tickets and juried art entries online with EU customers. >>> -S >>> >>> On 2/7/18, 2:23 PM, "mcn-l on behalf of Nik Honeysett" < mcn-l-boun...@mcn.edu on behalf of nhoneys...@bpoc.org> wrote: >>> >>> Also, GDPR wouldn’t apply if they purchased from your website while they were in a hotel next door to you. >>> -nik >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org >>> >>> >>> M (805) 402-3326 P (619) 331-1974 E nhoneys...@bpoc.org <mailto: nhoneys...@bpoc.org> >>> 1549 El Prado, Suite 8, San Diego, CA 92101 >>> >>> A non-profit technology collaboration connecting audiences to art, culture & science. >>> >>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> >>> >>> >>> >>> >>> >>> >>>> On Feb 7, 2018, at 11:20 AM, Nik Honeysett <nhoneys...@bpoc.org> wrote: >>>> >>>> My understanding is that GDPR is enforced based on the location of the transactee at the time of the transaction, irrespective of where the server is. So, if someone buys something from your website from Blighty, then GDPR is in effect for you and their PII, but if that person physically buys from your store, then GDPR does not apply. >>>> -nik >>>> >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> >>>> Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org < http://www.bpoc.org/> >>>> M (805) 402-3326 P (619) 331-1974 E nhoneys...@bpoc.org <mailto: nhoneys...@bpoc.org> >>>> 1549 El Prado, Suite 8, San Diego, CA 92101 >>>> >>>> A non-profit technology collaboration connecting audiences to art, culture & science. >>>> >>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> On Feb 7, 2018, at 11:15 AM, Sayre, Scott A <sayr...@cmog.org <mailto: sayr...@cmog.org>> wrote: >>>>> >>>>> Nik- >>>>> Thanks for chiming in. We have a significant customer-base (ecommerce, online/physical visitors and students) from the EU. Our read is that any transaction between a US organization and a citizen of the EU falls under the GDPR, even the transactions take place on a server here in the US. >>>>> -Scott >>>>> >>>>> On 2/7/18, 12:35 PM, "mcn-l on behalf of Nik Honeysett" < mcn-l-boun...@mcn.edu <mailto:mcn-l-boun...@mcn.edu> on behalf of nhoneys...@bpoc.org <mailto:nhoneys...@bpoc.org>> wrote: >>>>> >>>>> Scott, >>>>> >>>>> Do you have a significant percentage of online sales or data capture in the EU? >>>>> -nik >>>>> >>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>> >>>>> Nik Honeysett | Chief Executive Officer | BPOC | www.bpoc.org < http://www.bpoc.org/> >>>>> >>>>> >>>>> M (805) 402-3326 P (619) 331-1974 E nhoneys...@bpoc.org <mailto: nhoneys...@bpoc.org> <mailto:nhoneys...@bpoc.org <mailto:nhoneys...@bpoc.org >> >>>>> 1549 El Prado, Suite 8, San Diego, CA 92101 >>>>> >>>>> A non-profit technology collaboration connecting audiences to art, culture & science. >>>>> >>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>>>> >>>>> >>>>> >>>>> >>>>>> On Feb 7, 2018, at 8:54 AM, Sayre , Scott A <sc...@sandboxstudios.org <mailto:sc...@sandboxstudios.org>> wrote: >>>>>> >>>>>> Hi Folks- >>>>>> We are in the early stages of preparing a strategy to comply with the May 28th deadline for complying the EU’s General Data Protection Regulations (https://www.eugdpr.org/ <https://www.eugdpr.org/> < https://www.eugdpr.org/ <https://www.eugdpr.org/>>). Hoping most of you are familiar with these requirements and may have some thoughts on how you will be responding to them. We are still working on defining requirements vs. recommended practices and how and when we will be able to address them. It appears this could affect our user data practices in e-commerce, blog, e-commerce (ticketing and retail), as well as CRM. >>>>>> I’d love to hear how others have begun to work on meeting these regulations and if you have found any external expertise to guide you through the process. >>>>>> Many thanks in advance. >>>>>> -Scott >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) >>>>>> >>>>>> To post to this list, send messages to: mcn-l@mcn.edu <mailto: mcn-l@mcn.edu> >>>>>> >>>>>> To unsubscribe or change mcn-l delivery options visit: >>>>>> http://mcn.edu/mailman/listinfo/mcn-l < http://mcn.edu/mailman/listinfo/mcn-l> >>>>>> >>>>>> The MCN-L archives can be found at: >>>>>> http://www.mail-archive.com/mcn-l@mcn.edu/ >>>>> >>>>> _______________________________________________ >>>>> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) >>>>> >>>>> To post to this list, send messages to: mcn-l@mcn.edu <mailto: mcn-l@mcn.edu> >>>>> >>>>> To unsubscribe or change mcn-l delivery options visit: >>>>> http://mcn.edu/mailman/listinfo/mcn-l < http://mcn.edu/mailman/listinfo/mcn-l> >>>>> >>>>> The MCN-L archives can be found at: >>>>> http://www.mail-archive.com/mcn-l@mcn.edu/ < http://www.mail-archive.com/mcn-l@mcn.edu/> >>>>> >>>>> >>>>> _______________________________________________ >>>>> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) >>>>> >>>>> To post to this list, send messages to: mcn-l@mcn.edu <mailto: mcn-l@mcn.edu> >>>>> >>>>> To unsubscribe or change mcn-l delivery options visit: >>>>> http://mcn.edu/mailman/listinfo/mcn-l < http://mcn.edu/mailman/listinfo/mcn-l> >>>>> >>>>> The MCN-L archives can be found at: >>>>> http://www.mail-archive.com/mcn-l@mcn.edu/ < http://www.mail-archive.com/mcn-l@mcn.edu/> >>> >>> _______________________________________________ >>> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) >>> >>> To post to this list, send messages to: mcn-l@mcn.edu >>> >>> To unsubscribe or change mcn-l delivery options visit: >>> http://mcn.edu/mailman/listinfo/mcn-l >>> >>> The MCN-L archives can be found at: >>> http://www.mail-archive.com/mcn-l@mcn.edu/ >>> >>> >>> _______________________________________________ >>> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) >>> >>> To post to this list, send messages to: mcn-l@mcn.edu >>> >>> To unsubscribe or change mcn-l delivery options visit: >>> http://mcn.edu/mailman/listinfo/mcn-l >>> >>> The MCN-L archives can be found at: >>> http://www.mail-archive.com/mcn-l@mcn.edu/ >> >> _______________________________________________ >> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) >> >> To post to this list, send messages to: mcn-l@mcn.edu <mailto: mcn-l@mcn.edu> >> >> To unsubscribe or change mcn-l delivery options visit: >> http://mcn.edu/mailman/listinfo/mcn-l < http://mcn.edu/mailman/listinfo/mcn-l> >> >> The MCN-L archives can be found at: >> http://www.mail-archive.com/mcn-l@mcn.edu/ < http://www.mail-archive.com/mcn-l@mcn.edu/> >> >> >> _______________________________________________ >> You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu <http://www.mcn.edu/>) >> >> To post to this list, send messages to: mcn-l@mcn.edu <mailto: mcn-l@mcn.edu> >> >> To unsubscribe or change mcn-l delivery options visit: >> http://mcn.edu/mailman/listinfo/mcn-l < http://mcn.edu/mailman/listinfo/mcn-l> >> >> The MCN-L archives can be found at: >> http://www.mail-archive.com/mcn-l@mcn.edu/ < http://www.mail-archive.com/mcn-l@mcn.edu/> > _______________________________________________ > You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) > > To post to this list, send messages to: mcn-l@mcn.edu > > To unsubscribe or change mcn-l delivery options visit: > http://mcn.edu/mailman/listinfo/mcn-l > > The MCN-L archives can be found at: > http://www.mail-archive.com/mcn-l@mcn.edu/ _______________________________________________ You are currently subscribed to mcn-l, the listserv of the Museum Computer Network (http://www.mcn.edu) To post to this list, send messages to: mcn-l@mcn.edu To unsubscribe or change mcn-l delivery options visit: http://mcn.edu/mailman/listinfo/mcn-l The MCN-L archives can be found at: http://www.mail-archive.com/mcn-l@mcn.edu/