Requirements For Becoming GDPR Compliant For US Companies – Guide
The General data protection regulation enforced on the 25th of May, 2018, toppled the online world upside down. It has been one of the most significant regulation changes in the past few decades and resulted in numerous large scale changes and effects in various sectors.
The regulation originated in the EU but has a reach beyond the EU borders. This broad reach also reaches the US, which raises all the confusion regarding GDPR For US Companies.
Complying to the GDPR is a bit confusing for most US companies, and in this blog, we put a rest to all the confusion.
We will discuss all the aspects of the regulation and what steps a US company should take to remain compliant.
Are US companies bound to follow GDPR?
This is the first question that arises in your mind.
The answer is Yes! GDPR applies to all the countries in the world. To deeply understand this, we would refer to Article 3 of the GDPR. Article 3 talks about the territorial scope of the regulation, which states that all countries in the EU/EEA and outside of the EU/EEA fall under the scope of GDPR that serve EU/EEA residents.
It is also applicable to all companies which track the data of EU/EEA residents.
The conditions under which a US company will fall under GDPR rules are:
- The company offers good or services to EU/EEA residents
- The company monitors the behavior of users who are living inside EU/EEA
Now, if you think that how does the regulation define the meaning of data of users, it basically includes –
- Contact information
- IP address
- location data
- Political opinions
- Sexual orientation
- and other personal data
Talking about an exception in GDPR
The rule also takes into consideration the different types of companies. For this very reason, GDPR For US companies with less than 250 employees are not required to maintain the records of their data processing activities.
This rule applies only if the processing of data is done occasionally, and the processing does not cause any risk to the rights and freedoms of the users.
Is the GDPR only for EU/EEA citizens?
When you read the GDPR documentation, you realize that it mentions the phrase “data subject” at all times. The interpretation of this phrase is anyone who is currently in the EU/EEA region.
The data subject does not have to be an EU/EEA citizen, and even a US citizen currently in the EU/EEA region has the protection of GDPR.
Does the GDPR protect EU/EEA citizens all over the world?
The data subjects are people living in the EU/EEA region. This means that it does not apply to EU/EEA citizens traveling to other countries or living in other countries.
- An important point to note here is that data subject interpretation has been different in many scenarios. There is no clear understanding of whether it will apply to EU/EEA citizens living in the US or other countries.
Do the same rules apply to the US Government and Government agencies?
The GDPR rules make no exception for any Governments or Government agencies. So even the Government is supposed to comply with the GDPR.
There are just a few exceptions in some parts of the rules for EU member states.
But there are no exceptions for the US Government, so all our Government agencies are supposed to follow the guidelines.
GDPR requirements for US companies
Now we discuss the most critical part of the article, which is the GDPR requirements that a US company is supposed to follow.
If you read the GDPR rules, the document is quite extensive, and there are thousands of things to refer to in order to understand GDPR for US Companies
We have made it easier for you by listing the main points of the essential rules in GDPR. These will give you a fair amount of idea of what all needs to be taken care of.
The core points of GDPR
- The data processing must be legal, fair, and transparent. Users should be aware of why their data is being used
- The purpose with which the information is used should be clear to the users from the very beginning, and if there are any changes, it should be done only after taking due consent from users
- The type of data that is taken should correspond to the requirement, and no extra data should be taken
- Companies must take additional steps to take care that the data is accurate and updated
- The data should not be stored longer than what is required
- Companies must take extra steps to make sure that the personal data of users must be protected at all times
- Companies are accountable for the way with which they handle data and remain compliant with all GDPR
These points will give you many ideas about the core of GDPR, but many additional features are integral to the successful implementation of GDPR compliance. Let’s understand all of these in detail.
Auditing of data
Regular audits of your data is the best thing you can do to make sure you always remain compliant. These audits help companies answer essential questions regarding GDPR like –
- Where is the data stored?
- What kind of personal data is stored and processed?
- How long is data stored and kept in your system?
- Who has access to the personal data of users?
- Do you have sufficient security checks in place to make sure this data does not leave your systems?
DPIAs or data protection impact Assessments can help you to ascertain all the risks and ensure security. DPIAs are widely accepted across the EU as one of the best ways to audit for data security.
Auditing your relationship with service providers
This forms one of the most critical areas for GDPR for US Companies, where companies usually lack compliance. Almost every large and medium-sized company has some kind of professional association with third parties who process their data.
The data controller, in such cases, is supposed to sign contracts under the GDPR. This contract must state that the processor can process or use data in any manner only on the controller’s instruction.
When you deal with hundreds of third-party companies with access to data, it becomes quite cumbersome to manage. If any of the companies are unable to prove GDPR compliance, you are at risk!
The recent addition of Right to be forgotten and Data Subject Rights
These two rights have been recently added in GDPR, and there are thousands of cases where these rights are getting exercised.
The Right to be forgotten talks about the Right of any user to ask and get his/her data deleted from the particular website. This is in the interest of people who have some past activities with a bad reputation but want that to be removed after years of the incidents.
The data subject rights are a list of numerous rights; some of the significant ones are –
- The Right to receive a copy of their personal data
- The Right to ask for rectification of any data related to the data subject
- The Right to restrict the processing of data, including automatic processing
All these new rights can increase the number of requests that websites get from users, and it is the duty of the company to make sure to have enough workforce to manage and process all these requests.
Data protection officer
Every department of your company uses data in some way or the other. Getting started with compliance means making changes in all the departments and preventing misuse. This complete change of the data culture in your company will require a lot of effort from your end, and the best way to approach the shift is by appointing a DPO.
The DPO will take care of compliance in all departments and make sure to set rules along with training, so there is no scope for errors.
What to do in case of a data breach?
With data being involved in potentially everything we do, data breaches have become common. The regulations also define procedures to follow if your company faces a scenario of a data breach.
Companies are mandated to inform a data protection authority within 72 hours of getting to know of a data breach. If the data breach is of highly sensitive data that poses a threat to privacy or the rights and freedom of users, it is the company’s duty to notify all such users.
Preparing for these data breaches
The companies are also supposed to take extra measures to remain prepared to detect, investigate, and report data breaches as soon as it happens.
Complying with the timelines and rules of the GDPR necessitates taking steps and appointing specific people in your team who continuously monitor the flow of data.
Data retention policy
Data retention is one of the core components of the GDPR for US Companies, and a clear policy for every company must be drafted. These documents should state the way data is processed and retained for various purposes.
This is supposed to be reviewed regularly along with changes so the company can remain compliant.
Record of consent and options to withdraw
Audits form one of the most essential parts of GDPR compliance. These audits should also take care that records are maintained for every processing step of your data.
These records should have proof of consent being taken from the users along with the option to withdraw the consent if the need arises. The agencies can ask for such proofs to ensure all the regulations are being followed, and data is protected from all possible threats!
GDPR fines for US companies
Fines for US companies that do not comply with GDPR rules can be as high as 4% of their annual global revenue or €20 Million, whichever is higher.
The EU/EEA countries’ national enforcement agencies have the Right and legal powers to enforce these fines even outside the EU territory.
A prominent example of this case is the €50 Million fine on Google in California. The GDPR enforcement agency of France enforced this fine.
Numerous companies have faced GDPR fines, which have brought all this attention to US companies.
If you are also concerned about GDPR and are looking for a GDPR consulting who can help you implement all the GDPR rules in your business, Contact Us!
We have helped numerous companies become GDPR compliant over the past few years and are well versed with all the steps to take that will help you remain compliant always.
GDPR Enforcement in the US
Numerous regulatory bodies in the EU region enforce the GDPR within the EU/EEA region.
The biggest question is the power of these authorities in the US and how these EU agencies can enforce US companies’ rules.
- If the US company has ban accounts or any assets in the EU region, these can be seized for noncompliance.
- For companies that do not have a physical presence in the EU, the GDPR mandates the appointment of a representative who will take care and process the fines if such a case arises.
- Another primary way to pursue cases is international law in which the Eu Government bodies can seek assistance from US Government bodies. Government bodies are usually helpful to other Governments because of diplomatic relations, making it very easy for agencies to enforce regulations.
GDPR applies to all companies in the world who access data of any user currently living or traveling in the EU/EEA region.
Not being compliant or flouting any rules under the GDPR can result in fines of millions of euros, and you must take care to follow all the necessary guidelines.
Even having no presence in the EU puts you at risk of flouting the rules, and if you haven’t already, make sure to start auditing compliance today!
Contact Us if you are looking for an expert GDPR consultant!
With over 25 years of experience in Information Technology and Management Consulting, Errin O’Connor has led hundreds of large-scale enterprise implementations from Business Intelligence, Power BI, Office 365, SharePoint, Exchange, IT Security, Azure and Hybrid Cloud eﬀorts for over 165 Fortune 500 companies.