EU’s General Data Protection Regulation: Does It Apply to Your Agency?

Two years ago the European Union (EU) adopted General Data Protection Regulation (GDPR), with an effective date of May, 25, 2018 — last Friday. In response, MRSC has received several calls from jurisdictions asking if the regulations applied to Washington local governments.

Is the GDPR applicable to my local government?

Local governments should not be concerned about the GDPR — except if you offer goods or services to residents of the EU.

Does your jurisdiction do any direct tourism marketing to EU residents or are you somehow involved directly with EU projects? It is not likely that local government agencies in Washington would be involved in activities that would bring them within the scope of this EU regulatory scheme. If you disagree, please contact MRSC. If we obtain information that calls this conclusion into question, we will provide an update.

There are relatively few situations where a public agency in Washington would gather data from EU residents. Here are some possible examples:

• an EU resident is involved in a vehicle accident and police respond to the scene
• an EU resident obtains services from a public hospital district while visiting the Northwest

In such situations the public agency is not offering services to EU residents, it is responding to an emergency or providing services at the request of the EU resident. Such tangential contacts and data involvement would seem to be beyond the scope of the regulations, and the EU would seem to have no jurisdiction to enforce compliance if the public agency has no general business involvement or offices within the EU.

Data protection and privacy across organizations

Because of the global reach of many corporations and companies that utilize the web to conduct business and market products, these regulations will impact a significant number of US-based businesses, including some that you use as vendors or contractors, such as Microsoft, Facebook, Amazon, etc. It will be the responsibility of these businesses to comply with GDPR, since, in the course of conducting business, they collect data from EU individuals.

There is a growing concern over the privacy of data that is collected from individuals by private businesses and public agencies, for a wide range of uses. The intent of the EU regulations is to enable EU residents to have more control over the personal data that companies obtain. If similar US regulations are adopted in the future, you will receive information regarding compliance from MRSC, your statewide professional associations, and your insurer.

On the topic of data privacy, here are two instances that do apply to local government agencies. When individuals provide their email address and request to be added to a list for communications from your agency, do you inform them that their email address may be required to be disclosed to the public pursuant to the PRA? Do you have an easy process for people to unsubscribe from your agency newsletters or other communications?

These are just a few best practices that help local governments ensure data privacy for individuals and helps constituents better manage how and when to share their personal data.

Questions? Comments?