In 2016, the European Commission approved and adopted the new General Data Protection Regulation (GDPR). GDPR is a significant change in data protection regulation in the EU and replaces the existing legal framework (the Data Protection Directive and the various member state laws). It will come into effect on May 25, 2018.
GDPR adds some new requirements regarding how companies should protect individuals' data that they process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. We are following the developments about GDPR and are taking steps to prepare for compliance.
No. Under GDPR a company is allowed to transfer personal data outside of the EU provided that it puts in place a mechanism, approved under GDPR, to make sure that personal data is adequately protected even when it is transferred outside of the EU. We have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to satisfy this requirement (more detail on Privacy Shield). We currently don't have plans to add servers in the EU.
We chose the UK as a reasonable location for GDPR enforcement, and will reassess in 2019 before Brexit takes effect. The UK is hoping for a unique status under GDPR and are working towards it. For the time being the UK has declared it will be GDPR compliant and its new data protection bill is in line with GDPR.
Our compliance, data protection, and information security teams all worked to prepare our services for GDPR. We reviewed our data processing activities, and made any changes that were needed in advance of the GDPR effective date.
Like the Data Protection Directive that is presently in effect, GDPR includes provisions on international data transfer mechanisms. In order to comply with these provisions we have certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, a mechanism that had been approved for cross border transfer of personal data under the Directive and expected to apply under GDPR as well.
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data and gearing up for GDPR. If you have any questions, please don't hesitate to contact us at firstname.lastname@example.org.