While the General Data Protection Regulation (GDPR) is a law of the European Union (EU) on data protection and privacy, its remit far exceeds the physical boundaries of the EU and European Economic Area (EEA). In fact, it includes the United States, the EU’s largest trading partner. As such, achieving GDPR compliance should be a top priority for US companies that want to avoid large financial penalties.
What is the GDPR?
Introduced in May 2018, the GDPR is a new law that places greater obligations on companies and organizations when it comes to processing the personal data of data subjects (individuals) in the European Union. It gives these individuals more control over their personal data.
Under the GDPR, a data subject is any individual living within the EU whose personal data is being processed, and this includes US citizens living, working, or traveling to the EU. It also includes any EU citizens who have any form of relationship with your organization, be it a customer or remote worker.
Examples of where the GDPR affords greater rights to individuals include the rights for data portability and data erasure, in addition to other rights such as being able to object to data processing and to be informed when data is being collected, how it is being collected, and what it’s being used for.
Does the GDPR Apply to US Companies?
In short, yes. Unless a US company does not have any form of relationship with any data subject in the EU (very unlikely given our highly connected digital world), the GDPR applies to fall US companies. The GDPR has a very wide scope and any US company that is processing or controlling the personal data of EU data subjects falls within it.
The question of how the GDPR applies to US companies, however, can be rather complicated, particularly when it comes to collecting and/or controlling personal data belonging to individuals who are located both within and outside the EU, or to cloud environments that are based within the EU but otherwise supported in the US.
Despite how complicated it may be, it is still mandatory, and action needs to be taken by US companies as soon as possible to ensure they are compliant. And while they were initially slow on the uptake, a PwC survey says that over half of all US multinationals are now taking their GDPR compliance obligations seriously and said that GDPR compliance is their top data-protection priority.
GDPR Compliance Tips for US Companies
Unfortunately, there are still many US companies, particularly small ones, that are not taking any action. And this could be catastrophic for them. One of the reasons why GDPR compliance is hugely important for US companies is that the penalties for non-compliance can be huge; companies simply cannot afford to ignore it.
With that in mind, here are three GDPR compliance tips that we think are the most important. Note, however, that this is not an exhaustive ‘list’ and that compliance obligations and the work and processes required to achieve them vary between different organizations.
1. Be Open and Transparent
The GDPR places a huge emphasis on transparency. You need to tell data subjects:
- What data you’re collecting;
- Why you’re collecting it;
- Its source;
- How you store and process it;
- Who can access it; and
- How and when you dispose of it or transfer/disclose it to other parties.
Of course, you can’t tell data subjects this information if you don’t know this information yourself. The first thing you should do, therefore, is set in place a process or system to figure it out (for example, by creating a data map) so that you can be certain you haven’t missed anything off.
You also need a legal basis for anything that you collect. Under the GDPR, there are six acceptable conditions for data collection, including the provision of consent and necessity to comply with a legal obligation to which your company is subject.
Finally, make sure that you’ve updated your privacy policy and other relevant legal documents to include why you’re collecting data, how you’re handing it, who can access it, and how you’re protecting it.
2. Protect the Data That You Collect
On the subject of data protection, the GDPR advises that you should secure personal data by taking the following steps:
- Minimize the amount of data collected;
- Have a documented process for disposing of data; and
- Encrypt, pseudonymize, or anonymize data.
You also need to ensure that employees are properly trained in handling any data relevant to their job roles and that they themselves secure their employee email accounts, laptops, logins, etcetera with strong passwords. Most companies use a security policy to convey this information.
If you do have a data breach, it must be reported to the appropriate authority within 72 hours. This is typically handled by a designated person within an organization.
3. Provide Access to Data Subjects
At the heart of the GDPR is the proviso that data subjects should be given free and unfettered access to their personal data. To that end, data subjects should be able to easily:
- Request and retrieve their personal data;
- Correct or update inaccurate data;
- Ask you to delete their data;
- Ask you to stop collecting their data;
- Ask you to never collect their data in the first place; and
- Get a copy of the data you hold in an accessible and transferable file.
The GDPR does not dictate how you should implement and fulfil all of this, however, so you do have some room to maneuverer and integrate compliance with your current processes and your website and/or applications on the whole. By following these steps, along with the steps in GDPR.eu’s GDPR compliance checklist, you can avoid scrutiny and potential financial penalties from the EU authorities.