Or, you know, everyone involved could just calm down, tell clients and customers what data you collect and what you do with it and why (hint- as long as you stick to ‘we use it to supply the contracted services’, you’re fine) and get on with things.
Yes, GDPR will mean that your organisation will probably have had to revamp your contracts and terms of service and people will have had to think about what they are collecting and why (which they should have been doing anyway) but other than that, unless your business model is to collect as much personal data as possible and sell it for as much as possible, there really is no cause for panic over GDPR.
Apart from the looming problem that the US (assuming you’re in the US) really has no legitimate basis for being classed as a “safe” location for EU citizens’ data.
But there’s no need to worry about that either since a) the US’s global dominance will almost certainly mean that the previous fudges on that will keep being renewed and updated and b) if it does happen, there’s sod all you can do about it other than run all EU business from the EU, keeping all data within the EU (leaving aside the technical illiteracy involved in that idea).
