The European Union’s General Data Protection Regulation (GDPR) is currently the world’s most comprehensive data security regulation. It aims to:
- Protect the personal data of European citizens
- Give European citizens more control over their personal data and how it’s used
To ensure these aims are met, the GDPR has strict guidelines for businesses and organizations on how they can collect and process personal data. Notably, not only European businesses need to comply with the law.
The GDPR also applies to US businesses that collect data from EU citizens. From large companies like Google and Amazon, to smaller ones with just a few customers in the EU, every US business that targets EU users needs to have a plan for complying with the GDPR.
Territorial Scope of the GDPR
Article 3 of the GDPR outlines the scope of the GDPR as extra-territorial. This means that the GDPR applies to any business inside or outside of the EU that controls or processes personal data of EU citizens.
This article states that the:
regulation applies to the processing of personal data of data subjects who are in the [European] Union by a controller or processor not established in the [European] Union
So, if a business in the US offers goods or services to EU citizens or monitors their online behavior, the data activities of that business will still be subject to the rules of the GDPR.
GDPR Key Definitions
To understand how to comply with the GDPR in the US, you first need to understand the core concepts of the GDPR.
Two important terms outlined in the GDPR are that of personal data and data subjects.
Personal data refers to any information that could be directly or indirectly used to identify an individual. This can be information such as:
- ID numbers
- Location data
- Email addresses
- Online identifiers
A data subject is a person whose personal data is being processed.
So, if your business records a customer’s name and address, the name and address are the individual’s personal data, and that individual is now a data subject.
The main aim of the GDPR is to ensure that the citizens of the EU have greater protection and control over their personal data. As such, data subjects have the right to:
- access information regarding whether, and for what purpose, their personal data is being processed.
- rectification of any inaccuracies in their personal data.
- erasure of their personal data (commonly known as “the right to be forgotten”).
- restrict the processing of their personal data.
- receive their personal data in a structured and commonly used format (like an easy-to-understand form).
- object to the processing of their personal data.
Even as a US business owner, you need to ensure these rights are protected in order to comply with the GDPR.
GDPR Guidelines for Data Processing in the US
One way the GDPR protects its subjects’ personal data is by carefully outlining the circumstances in which personal data can be processed. Businesses subject to the GDPR may only process user data if:
- the data subject has consented to the processing of their personal data
- the processing is necessary to fulfill a contract that the data subject has entered into
- the processing is required to comply with the data controller’s legal obligations
- the processing is necessary to protect the data subject
- the processing is required to carry out a task that is in the public interest
- the processing is necessary for the pursuit of a legitimate interest of the data controller, as long as that interest does not impinge on the rights and freedoms of a data subject
These are known as the legitimate bases for data processing under the GDPR, and one or more must be met in order for you to lawfully collect user data. One of the safest bases on which to base your data collecting is user consent, as it’s easy to prove that consent was obtained before you processed the users’ data.
GDPR Compliance for US Companies
If you own a business or website in the US that markets to users in the EU, you need to take several steps to comply with the GDPR:
1. Determine Whether You’re a Data Processor or Data Controller
To audit the data practices of your business and complete the rest of this checklist, you will need to first determine whether your business is a data processor, a data collector, or both, as defined by article 4 of the GDPR.
Then, you will need to look at the data practices of your business and answer a few questions that will get you started on the path to compliance with the GDPR.
A data processor is responsible for handling personal data, and operations they perform include:
- Adapting or altering
A data controller is an organization that determines the “purposes and means of the processing of personal data”. In other words, how and for what reason data is processed. Most small businesses fall into this category, as they determine whether, as well as why and how, personal data is processed.
Businesses that fall into the data controller category, but are not engaged in data processing, will require the services of a third-party service provider to process data on their behalf.
This can be challenging, as under the terms of the GDPR, data controllers are liable for their third-party service providers’ non-compliance. So, if your business engages the services of another individual or company to process personal data, and that individual or company breaches the guidelines set out by the GDPR, your business will be at fault and responsible for any fines that may be levied.
2. Audit Your Data Practices
Being held accountable for your third-party service providers’ noncompliance poses a significant risk and is why auditing your data practices, and your third-party data processors’ data practices, is so important.
Auditing entails looking at your data practices and asking yourself:
- What data is being collected?
- Where is that data being stored?
- How is the data being protected?
- How long is the data being stored?
- Is there a reason for collecting and storing each piece of data?
- How can requests to delete people’s personal data be fulfilled?
Audits can be conducted by your business if you have the requisite knowledge of the auditing process and the GDPR rules regarding data processing, or they can be conducted by an auditing company, who will ensure that data processors are adhering to the GDPR.
3. Get Consent
In order to collect data on the basis of consent under the GDPR, there are criteria you must satisfy:
- Consent must be given freely
- The request for consent must be clear and easily understood by the data subject.
- Consent must be obtained for each specific instance of personal data that will be processed
- The data subject must be permitted to withdraw their consent at any time
All of these standards must be met in order to collect data on the basis of consent.
4. Appoint a Data Protection Officer (DPO)
Under some circumstances, you may require a data protection officer in order to comply with the GDPR.
The circumstances wherein a data protection officer is required are:
- When the processing of personal data is carried out by a public authority or body (e.g., a state government)
- When the activities of the data controller or processor require regular monitoring of data subjects on a large scale
- When the activities of the data controller or processor require processing of data relating to criminal convictions and offenses or the special GDPR categories of data outlined by article 9 (i.e., data revealing racial or ethnic origin, political opinions, religious beliefs, genetic or biometric data, sexual orientation, etc.)
If your organization’s activities relating to data fall under one of these circumstances, you’ll need to designate a DPO.
A DPO is someone who has expert knowledge of data protection law, along with the ability to:
- Advise data controllers and processors of their obligations under the GDPR
- Monitor compliance with the GDPR
- Cooperate with the supervisory authority
- Act as a contact point with the supervisory authority
A DPO can either be brought onboard as a new hire or be an existing staff member. As the DPO will need both intimate knowledge of data protection law and the organization’s data practices, some businesses and organizations that require a DPO will recruit one from among their staff.
So, if your business requires a DPO, and there is a capable and qualified staff member who could fulfill this role, then that person could be given this role.
5. Designate an EU Representative
For US businesses to comply with the GDPR, a representative based in one of the countries of the EU is often required. This representative serves as an additional point of contact for regulatory bodies in the EU, among other duties.
Article 27 of the GDPR outlines this requirement, as well as special circumstances in which an EU representative is not required by a US company. These circumstances are if data processing:
- Is infrequent
- Is not large scale
- Does not include special data categories (e.g., race, religion, etc.)
- Is not likely to result in risks to EU data subjects’ rights and freedoms
For example, if you own a small business based in the US with a few occasional customers from the EU, you may not be required to appoint an EU representative.
6. Implement Data Security Measures
Articles 31 to 34 of the GDPR detail what data controllers need to do in order to keep personal data safe, as well as what needs to be done in the event of a data breach.
GDPR security measures include:
- Encrypting personal data
- Ensuring the ongoing confidentiality and integrity of information processing systems
- Maintaining the ability to restore access to personal data in a timely manner if access is lost
- Implementing processes for testing the effectiveness of security measures
Additionally, there are certain measures that are necessary for you to take, according to the GDPR, if you suffer a data breach.
In the event a data subject’s personal data is stolen or otherwise disseminated, you will have 72 hours to notify the supervisory authority of the EU member state of which the data subject is a citizen.
Furthermore, if the data breach is likely to impact the rights and freedoms of the data subject, you also need to notify the affected individual of the data breach.
7. Safeguard Data Transfers Outside of the EU
The GDPR allows for personal data to be transferred outside of the EU to countries that it has deemed to have “adequate protection.” The US is on this list of countries, provided you operate under the Privacy Shield Framework.
GDPR Enforcement and Fines for US Businesses
GDPR fines are the same for US businesses as they are for businesses in the EU.
The severity of fines levied depends on several factors, including:
- The gravity and duration of the infringement
- Whether the infringement was intentional or negligent
- Any mitigating actions taken by the data controller or processor
- Any relevant previous infringements
The last point is particularly noteworthy, as repeated violations of the GDPR can result in increasingly severe fines. Article 83 outlines the maximum fines for different types of violations with:
- Less severe violations incurring fines of up to €10,000,000 (~$11,255,550 USD) or 2% of total annual turnover, whichever is higher
- More severe violations incurring fines of up to €20,000,000 or 4% of total annual turnover, whichever is higher
There have been numerous fines levied since the introduction of the GDPR, with penalties ranging from lows of €118 to a fine of €50,000,000 against Google for lack of transparency and insufficiently gathering consent.
Why US Businesses Need to Comply with the GDPR Now
If your business markets and sells to customers in the EU, you need to develop a strategy for managing GDPR compliance immediately. It’s important to evaluate the data practices of your business and any third-party data processors that you deal with and determine whether those practices are in line with the requirements that are set out by the GDPR.
Although the GDPR is a law based in the EU, your US business may still be at risk of millions of dollars in fines if you fail to comply.