GDPR Compliance for US Companies (2024)
Anwita
Feb 21, 2024Back in 2017, platforms like Facebook didn’t give data privacy as much attention as it does today. A year later, the GDPR rolled around and quickly became known as one of the most stringent, complex, and rigorous privacy protection law there is.
And just like that, Facebook and other tech giants were forced into rethinking their data privacy measures. While they faced no major regulatory challenges in the US, things took an unexpected turn when these data hungry businesses started processing personal data on European soil. They had two choices—comply or face heavy fines along with possible public charges.
But does the GDPR apply to US companies?
In simple terms, yes. GDPR compliance for US companies is the set of regulations that any organization has to follow if they are collecting or processing data pertaining to European citizens.
This blog talks about how GDPR applies to US companies, the checklists they must be aware of, and what happens if they are not compliant.
TL;DR Does GDPR apply to US companies? Yes, if they process data of EU residents or offer goods/services to them, regardless of their physical location. Vendor agreements and appointing a GDPR representative in the EU are vital steps for US companies to manage data processing risks. Non-compliance with GDPR can lead to significant fines, up to 4% of annual revenue or €20 million, whichever is higher. |
Does GDPR compliance apply to US companies?
Yes, GDPR compliance applies to US companies if the type of data processed uses tools to monitor behavior of EU residents online, such as tracking IP addresses or cookies of website visitors.
GDPR requirements for US companies also hold for businesses when they offer goods or services to individuals who are EU residents.
Organizations that employ 250 or fewer people are exempt from maintaining records of their data related activities. However, it is applicable only if the processing activities don’t violate the privacy and freedom rights of individuals or are not processed on a regular basis.
Also check out this video on GDPR principles:
How is GDPR carried out in the US?
Organizations that want to comply with GDPR in the US must have a supervisory authority belonging to the European region acting as the Data Protection Authorities.
If a business violates GDPR in the USA, they must pay the consequences – literally, in terms of penalties. The fines may go up to 4% of the annual turnover or 20 million euros, depending on whichever is higher.
GDPR fines are imposed along with corrective measures such as stopping a violation or carrying out processing activities in a compliant manner.
Some recent examples of violations include a £44m fine paid by Google LLC over inadequate transparency and control over advertisements in 2020. Another example of a hefty fine occurred in 2019 when British Airways paid a £183m fine after a web attack due to poor security that affected about 500,000 users.
GDPR compliance checklist for US companies
These rules apply to US based organizations who wish to operate in EU countries:
Map your data
As discussed above, GDPR is applicable only if you process data of individuals protected under this framework. If you process such data, it is crucial to determine if it is related to goods or services offered to such individuals, even if it doesn’t involve financial transactions.
An internal information audit should help you figure this out. As per recital 23 of GDPR, use the following questions to determine:
- Is it obvious that you offer the goods and services to data subjects in multiple states of the union?
- Do you use language or currency used in the Union to sell goods or services?
Internal audits should also help to gain better visibility into the categories of data, how it is processed, how it is transmitted, for how long it is stored, and more.
Transparency
“It’s the intent that matters.” GDPR is not anti-data collection; it is anti-data theft. Processing personal data without the consent of the subject amounts to non-compliance. You can avoid legal complications by providing sufficient justifications for processing that include:
- You have the consent of the subject
- It is necessary to fulfill a contractual agreement with the subject or is required to fulfill a request by the subject before entering a contract.
- It is part of a legal obligation the controller is subject to
- It protects the interest of the subject or another individual
- To perform a task in public interest or if the controller exercises official authoritative duties
- If the controller or third party has legitimate interests (unless it overrides the rights of the subject)
Member states of the Union can introduce more specific regulations on some of the justifications discussed above.
If you collect data on the basis of consent, remember that consent must be:
- Freely given – you cannot force the data subject to provide consent.
- Specific – all processing activities should be clearly listed to allow the subject to agree to each
- Informed – the data subject should know your identity, your intention, and know their right to withdraw consent
- Unambiguous – avoid practices that intend to mislead the user into giving consent such as pre-ticked checkboxes or terms and conditions is small texts at the bottom of a page.
- Revoked – data subjects can withdraw their consent at any time
Lastly, you must provide complete clarity about your activities as per Article 12. This requires you to keep your privacy policy updated.
Risk assessment
If you deploy data on the cloud, it becomes vulnerable to a number of threats. As a data collector, you should prioritize mitigating information security and privacy risks. A good practice to ensure data integrity is by conducting a Data Protection Impact Assessment (DPIA).
A common way to strengthen data security is end to end encryption. This method ensures that only those with authorized access can view it.
Another recommended practice is to implement organizational safeguards. A combination of following security best practices and avoiding common mistakes helps to reduce the possibility of disasters.
If you start a new project, follow data protection by design and default. This includes:
- Use of security measures like pseudonymization, encryption, data minimization to process data.
- Implement security measures to limit use of data to specific purposes in relation to the amount of data collected, storage period, accessibility, and extent of processing.
- Proof of compliance with the aforementioned liabilities through GDPR certification.
Vendor agreement
Malicious actors are not the only ones putting your customer data at risk. Statistics suggest that business partners like third party vendors also pose a non negligible risk.
A data processing agreement minimizes the vendor risks. It is a legal contract with parties who have access to customer data. Ideally this should cover the following:
- The process will process personal data only if a written instruction by the controller exists
- Anyone who accesses the data should agree to maintain confidentiality
- Use of appropriate measure to ensure data security
- The data processor cannot subcontract with other processors without a written instruction from the controller
- The processor will help the controller to abide by the GDPR obligations
- The controller must erase all personal data immediately upon termination of the contract
- The controller allows the process to conduct audit and provide help in doing so
Download the free data processing agreement template below
Download your GDPR Data Processing Template
Appoint a representative
Non EU organizations are required to appoint a representative in the union if Article 3 is applicable to them. The representative will be present in a member state of union in which the personal data of the subject is processed in relation to goods or services pr their behavior is monitored.
The representative must be appointed without bias to legal actions against the controller or processor. They should cooperate with the legal authorities to ensure compliance with GDPR requirements for US companies.
Breach notification
No matter how strong your security posture is, there is no way to prevent 100% of breaches. Set up the infrastructure in a way that not just prevents, but also prepares for disasters. In case an infection occurs, two parties should be notified immediately – the competent authority and data subject.
Ensure the following when notifying the supervisory authority:
- Notify within 72 hours of the breach unless there is no chance of compromising rights and freedoms of the subject.
- The notification should describe the nature of breach, number of subjects affected, and its categories.
- It should contain the contact details of the DPA, the possible consequences of the breach, measures you have taken to address, and mitigate the damages.
- Document the details of the breach, its effect and actions taken to mitigate the effects.
Ensure the following while notifying the data subject
- Notify the affected individuals without delay in case of high risk of infringement of rights and freedom.
- The above is not required if the data is unintelligible to those with unauthorized access, if you take adequate measures to ensure no compromise of rights and freedom, or if it is likely to result in adverse consequences.
- Explain the breach in clear and simple terms and the corrective measures.
Data protection officer
If your organization processes a large amount of data and various types of data, it might be overwhelming for employees to keep up the tasks required to be GDPR compliant. You might consider appointing a data protection officer (DPA) to perform these tasks. However, GDPR requires businesses to hire a DPA if:
- A public body or authority processes the data. This does not apply to courts and independent judicial authorities.
- Processing and monitoring personal data on a large scale is central to your business operations.
- Processing special data categories on a large scale is central to your business operations.
A DPA ideally performs these tasks
- Communicate with data subjects about the processing of their personal information
- Communicate with employees about their obligations and expectations around GRPR
- Perform audits, train employees, keep track of the organization’s compliance
- Conduct data protection impact assessments
- Cooperate with data protection supervisory authorities and communicate on issues around the processing of personal data
GDPR, the easy way
GDPR is not easy – but not a choice either. Bigger fishes like Facebook, Google, or Amazon can afford to pay millions in damages, but can leave smaller companies bleeding to death.
A PwC survey found that US orgs spend between $1 million to more than $10 million annually to be GDPR compliant. Thankfully, there is a cheaper and faster shortcut that will cost you a fraction of time and money. The Sprinto solution automates the entire process – from evidence collection, monitoring risks, auditing, training – everything you need to have to avoid the GDPR police coming knocking at your door for fines.
Let’s discuss your needs today.
FAQs
What is the GDPR equivalent for US companies?
There is no single, comprehensive GDPR equivalent in the US. The closest analogues are sector-specific laws like CCPA (California Consumer Privacy Act) for California residents, and federal laws like HIPAA for healthcare and GLBA for financial services.
How is GDPR enforced on US companies?
GDPR is enforced on US companies that offer goods or services to EU residents or monitor their behavior, regardless of the company’s location. Enforcement is carried out by EU data protection authorities.
Is GDPR applicable on all US websites?
GDPR is not applicable to all US websites. It applies only to those that target EU residents or monitor their behavior. A US website that doesn’t specifically target EU customers or track EU visitors may not need to comply.
Who penalizes US businesses for non compliance with GDPR?
EU data protection authorities, led by the supervisory authority in the relevant EU member state, are responsible for penalizing US businesses for non-compliance with GDPR. They can impose fines and other sanctions.
Who does GDPR not apply to?
GDPR does not apply to:
- Deceased individuals’ data
- Personal or household activities
- Law enforcement and national security activities
- Companies that don’t target EU residents or monitor their behavior
- Anonymized data (if truly anonymized and not just pseudonymized)