OK, after talking to her more, she’s informed me that patient data is treated with country based regulations that supersede GDPR, so GDPR compliance is not a requirement contractually, as country, and sometimes region, regulatory compliance is more important. Germany for instance, is pretty strict in that the data can’t just be silo’d off, separate from other countries, it needs to remain within German borders at all times, which goes above and beyond GDPR, so GDPR is ignored.
Furthermore, blanket IP banning EU customers is a grey area, and the EU does not seek legal action against companies that do this, as most are operating in localities where there are now reciprocal agreements in place. Since the EU has not, as far as I’m aware, enforced GDPR versus a company that’s attempting to block EU IP addresses from accessing it’s website, it’s not an enforced regulation, and as such is not actually 100% incorrect. After having experienced the difficulties of GDPR first hand, in trying to use a US website to buy something in the US, and ship it to another address in the US, while being in Europe, but not the EU (Switzerland) it’s a pain in the ass as the average American mail order meat company (wife topping up her mother’s freezer) doesn’t give a crap about the difference between the continent of Europe and the political union of the EU, but for the average consumer, there’s nothing you can actually do.
So I concede that financial reporting is probably going to be GDPR compliant regardless of where you are, as there is probably very few banks that can say with 100% certainty they have no EU citizens so it’s best to err on the side of caution, it’s also still correct that pharmaceutical companies do tend to ignore GDPR as they are already compliant with far more rigorous laws and regulations which have been in place for years regardless. Her job was primarily to get the companies GDPR (and other local/national regs) compliant for the shareholders who did seem to be demanding it for their regulatory compliance.
I’ll edit the post at the start of this chain and then head to bed.
Removed by mod
OK, after talking to her more, she’s informed me that patient data is treated with country based regulations that supersede GDPR, so GDPR compliance is not a requirement contractually, as country, and sometimes region, regulatory compliance is more important. Germany for instance, is pretty strict in that the data can’t just be silo’d off, separate from other countries, it needs to remain within German borders at all times, which goes above and beyond GDPR, so GDPR is ignored.
Furthermore, blanket IP banning EU customers is a grey area, and the EU does not seek legal action against companies that do this, as most are operating in localities where there are now reciprocal agreements in place. Since the EU has not, as far as I’m aware, enforced GDPR versus a company that’s attempting to block EU IP addresses from accessing it’s website, it’s not an enforced regulation, and as such is not actually 100% incorrect. After having experienced the difficulties of GDPR first hand, in trying to use a US website to buy something in the US, and ship it to another address in the US, while being in Europe, but not the EU (Switzerland) it’s a pain in the ass as the average American mail order meat company (wife topping up her mother’s freezer) doesn’t give a crap about the difference between the continent of Europe and the political union of the EU, but for the average consumer, there’s nothing you can actually do.
So I concede that financial reporting is probably going to be GDPR compliant regardless of where you are, as there is probably very few banks that can say with 100% certainty they have no EU citizens so it’s best to err on the side of caution, it’s also still correct that pharmaceutical companies do tend to ignore GDPR as they are already compliant with far more rigorous laws and regulations which have been in place for years regardless. Her job was primarily to get the companies GDPR (and other local/national regs) compliant for the shareholders who did seem to be demanding it for their regulatory compliance.
I’ll edit the post at the start of this chain and then head to bed.