GDPR compliance for international technology companies
International organizations and technology companies are often setup with multiple legal entities and matrix-like structures. A mature privacy and GDPR compliance program helps to secure business and build privacy confidence in the EU.
GDPR for technology companies
Whether you provide mobile apps, software as a service (SaaS), infrastructure, on-prem technology or simply software, the GDPR will affect the way you (need to) do business in Europe and work with European clients. Even is you are not directly affected by the GDPR, your clients will require functionality, insight and support that lets them comply easily. As a technology vendor/provider, you should be concerned about making this as easy as possible for your clients.
Setting up shop in Europe, in particular as a technology company processing personal data, is complex due to the GDPR. A thorough review of your processing activities is needed to determine how the GDPR affects you, and what the best setup is for your organization, in particular when multiple legal entities are involved.
Vendor requirements
Clients in the EU will require their vendors to support them with GDPR compliance, for you to have a good level of GDPR Compliance in place, and to complete a Data Processing Agreement (DPA) with them. Vendor GDPR assessments and international transfer assessments are quickly becoming standard practice. Sometimes, there may be they may even want to audit your GDPR and data protection practices, so as a vendor you will need to be prepared.
The international technology companies we work with are typically concerned about:
- Understanding how the GDPR applies as foreign organization.
- How their clients in the EU can use products from outside the EU.
- Talking to their prospects and clients about the GDPR.
- Required documentation, certifications, legal documents and agreements with EU clients.
- Creating a model Data Processing Agreement (DPA) for use by clients.
- Which vendors can and can’t I use?
- Which documentation and agreements do I need from my vendors (subprocessors)?
- How can we support our client’s Data Protection Impact Assessment (DPIA)?
- Appointing an EU representative or Data Protection Officer.