While it is most likely state agencies will not come under GDPR scrutiny, it is still important to know the risks and how to avoid them. This checklist provides some quick points for state agencies to consider related to the European General Data Protection Regulation (GDPR):
Is the Agency monitoring European residents data by controlling and/or processing data belonging to European residents?
- If no, then stop, the GDPR does not apply.
- If yes, then continue.
(Note: A processor is an entity who processes the data on behalf of the controller, this includes data organization and storage. A controller is the entity whom decides how the personal data will be processed and for what purpose it will be used.)
Is the agency buying or obtaining data from third parties?
- Does the data include information on European Residents? If yes, then the agency should stop collecting data on those persons, purge the system of data on those persons, determine if they need the data, and potentially contact an attorney.
Is the agency sharing data with third parties in which some data pertains to European Residents?
- If yes, the agency needs to have a business purpose for doing so.
If the collection, processing, and retention of the data is for the following points then the agency maybe allowed to collect, process, and retain the data.
- National security.
- Defense, public security, the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
- Other important objectives of general public interest of the State, in particular an important economic or financial interest of the State, including monetary, budgetary and taxation matters, public health and social security.
- The protection of judicial independence and judicial proceedings.
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
- Monitoring, inspecting or regulatory function connected, even occasionally, to the exercise of official authority.
- The protection of the data subject or the rights and freedoms of others.
- The enforcement of civil law claims.
If the purpose for collecting, processing, and retaining data is for the purpose(s) above (1-8), and includes European Union Residents, the agency must provide an explanation as to why the restriction (s) is necessary.
If the agency is not collecting any personal information on EU residents then the Agency will NOT be subject to GDPR compliance.
It is important to keep in mind that Washington has a lot of foreign workers and if they were to return to the EU the agency should have a process by which they destroy that personal information, or provide a user notice telling people about the retention of personal data after they have departed Washington.