GDPR Compliance for US Companies (2024)

Scene: Facebook headquarters, 2018

Knock knock

Facebook: Who is it?

EU: Its GDPR

Facebook: GDPR who?

EU: GDPR, the most stringent, complex, and rigorous privacy protection law there is.

And just like that, Facebook and other tech giants were forced into rethinking their data privacy measures. While they faced no major regulatory challenges in the US, things took an unexpected turn when these data hungry businesses started processing personal data on European soil. They had two choices—comply or face heavy fines along with possible public charges. 

GDPR compliance for US companies is the set of laws that organizations outside the EU must follow to secure personal data.

Let’s learn if GDPR is applicable to US companies, checklist they should follow, and what happens if you are not compliant. 

Does GDPR compliance apply to US companies?

The short answer is: depends. On what you ask? Two factors—the type of data you process and who you cater to. Let’s break this down.

Type of data processed – Use of tools to monitor behavior of EU residents online that helps to track IP addresses or cookies of website visitors. 

Who you cater to – Applicable to US businesses when they offer goods or services to individuals who are EU residents. 

Organizations that employ 250 or fewer people are exempt from maintaining records of their data related activities. However, it is applicable only if the processing activities don’t violate the privacy and freedom rights of individuals or are not processed on a regular basis. 

Also check out this video on GDPR principles:

GDPR compliance checklist for US companies

These rules apply to US based organizations who wish to operate in EU countries:

Map your data

As discussed above, GDPR is applicable only if you process data of individuals protected under this framework. If you process such data, it is crucial to determine if it is related to goods or services offered to such individuals, even if it doesn’t involve financial transactions. 

An internal information audit should help you figure this out. As per recital 23 of GDPR, use the following questions to determine:

• Is it obvious that you offer the goods and services to data subjects in multiple states of the union?
• Do you use language or currency used in the Union to sell goods or services?

Internal audits should also help to gain better visibility into the categories of data, how it is processed, how it is transmitted, for how long it is stored, and more. 

Transparency

“It’s the intent that matters.” GDPR is not anti-data collection; it is anti-data theft. Processing personal data without the consent of the subject amounts to non-compliance. You can avoid legal complications by providing sufficient justifications for processing that include:

• You have the consent of the subject
• It is necessary to fulfill a contractual agreement with the subject or is required to fulfill a request by the subject before entering a contract. 
• It is part of a legal obligation the controller is subject to
• It protects the interest of the subject or another individual
• To perform a task in public interest or if the controller exercises official authoritative duties
• If the controller or third party has legitimate interests (unless it overrides the rights of the subject)

Member states of the Union can introduce more specific regulations on some of the justifications discussed above. 

If you collect data on the basis of consent, remember that consent must be:

• Freely given – you cannot force the data subject to provide consent. 
• Specific – all processing activities should be clearly listed to allow the subject to agree to each 
• Informed – the data subject should know your identity, your intention, and know their right to withdraw consent
• Unambiguous – avoid practices that intend to mislead the user into giving consent such as pre-ticked checkboxes or terms and conditions is small texts at the bottom of a page.  
• Revoked – data subjects can withdraw their consent at any time

Lastly, you must provide complete clarity about your activities as per Article 12. This requires you to keep your privacy policy updated. 

Risk assessment

If you deploy data on the cloud, it becomes vulnerable to a number of threats. As a data collector, you should prioritize mitigating information security and privacy risks. A good practice to ensure data integrity is by conducting a Data Protection Impact Assessment (DPIA). 

A common way to strengthen data security is end to end encryption. This method ensures that only those with authorized access can view it. 

Another recommended practice is to implement organizational safeguards. A combination of following security best practices and avoiding common mistakes helps to reduce the possibility of disasters. 

If you start a new project, follow data protection by design and default. This includes: 

• Use of security measures like pseudonymization, encryption, data minimization to process data. 
• Implement security measures to limit use of data to specific purposes in relation to the amount of data collected, storage period, accessibility, and extent of processing. 
• Proof of compliance with the aforementioned liabilities through GDPR certification. 

Vendor agreement

Malicious actors are not the only ones putting your customer data at risk. Statistics suggest that business partners like third party vendors also pose a non negligible risk. 

A data processing agreement minimizes the vendor risks. It is a legal contract with parties who have access to customer data. Ideally this should cover the following: 

• The process will process personal data only if a written instruction by the controller exists
• Anyone who accesses the data should agree to maintain confidentiality
• Use of appropriate measure to ensure data security
• The data processor cannot subcontract with other processors without a written instruction from the controller
• The processor will help the controller to abide by the GDPR obligations
• The controller must erase all personal data immediately upon termination of the contract
• The controller allows the process to conduct audit and provide help in doing so

Download the free data processing agreement template below

Appoint a representative

Non EU organizations are required to appoint a representative in the union if Article 3 is applicable to them. The representative will be present in a member state of union in which the personal data of the subject is processed in relation to goods or services pr their behavior is monitored. 

The representative must be appointed without bias to legal actions against the controller or processor. They should cooperate with the legal authorities to ensure compliance with GDPR requirements

Breach notification

No matter how strong your security posture is, there is no way to prevent 100% of breaches. Set up the infrastructure in a way that not just prevents, but also prepares for disasters. In case an infection occurs, two parties should be notified immediately – the competent authority and data subject. 

Ensure the following when notifying the supervisory authority: 

• Notify within 72 hours of the breach unless there is no chance of compromising rights and freedoms of the subject. 
• The notification should describe the nature of breach, number of subjects affected, and its categories. 
• It should contain the contact details of the DPA, the possible consequences of the breach, measures you have taken to address, and mitigate the damages. 
• Document the details of the breach, its effect and actions taken to mitigate the effects. 

Ensure the following while notifying the data subject

• Notify the affected individuals without delay in case of high risk of infringement of rights and freedom. 
• The above is not required if the data is unintelligible to those with unauthorized access, if you take adequate measures to ensure no compromise of rights and freedom, or if it is likely to result in adverse consequences. 
• Explain the breach in clear and simple terms and the corrective measures. 

Data protection officer

If your organization processes a large amount of data and various types of data, it might be overwhelming for employees to keep up the tasks required to be GDPR compliant. You might consider appointing a data protection officer (DPA) to perform these tasks. However, GDPR requires businesses to hire a DPA if:

• A public body or authority processes the data. This does not apply to courts and independent judicial authorities. 
• Processing and monitoring personal data on a large scale is central to your business operations.
• Processing special data categories on a large scale is central to your business operations.

A DPA ideally performs these tasks

• Communicate with data subjects about the processing of their personal information
• Communicate with employees about their obligations and expectations around GRPR
• Perform audits, train employees, keep track of the organization’s compliance
• Conduct data protection impact assessments
• Cooperate with data protection supervisory authorities and communicate on issues around the processing of personal data

What if US companies violate GDPR rules?

Organizations who violate GDPR must pay the consequences – literally, in terms of penalties. The fines may go up to 4% of the annual turnover or 20 million euros, depending on whichever is higher.

GDPR fines are imposed along with corrective measures such as stopping a violation or carrying out processing activities in a compliant manner. 

Some recent examples of violations include a £44m fine paid by Google LLC over inadequate transparency and control over advertisements in 2020. Another example of a hefty fine occurred in 2019 when British Airways paid a £183m fine after a web attack due to poor security that affected about 500,000 users. 

GDPR, the easy way

GDPR is not easy – but not a choice either. Bigger fishes like Facebook, Google, or Amazon can afford to pay millions in damages, but can leave smaller companies bleeding to death. 

A PwC survey found that US orgs spend between $1 million to more than $10 million annually to be GDPR compliant. Thankfully, there is a cheaper and faster shortcut that will cost you a fraction of time and money. The Sprinto solution automates the entire process – from evidence collection, monitoring risks, auditing, training – everything you need to have to avoid the GDPR police coming knocking at your door for fines. 

Let’s discuss your needs today. 

FAQs

What is the GDPR equivalent for US companies?

The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR.

How is GDPR enforced on US companies?

GDPR is enforced on US companies by levying fines if they don’t meet the requirements.