Why do US businesses need to comply with the EU-driven GDPR? What’s the effect of GDPR Article 27 on your business? And how do you comply with it?
The General Data Protection Regulation (GDPR) is a piece of European legislation. Yet unlike most laws passed in Europe, this one (probably) affects you. In fact, it has the potential to affect everyone, everywhere.
That’s because of Article 3 of GDPR, which gives the regulation trans-territorial effect. If, in the delivery of your business’ goods or services, you process the personal data of EU residents to anything more than a minimal degree, then you are bound by GDPR. And if you are bound by the GDPR, then you and every other US business in a similar position will also be bound by GDPR Article 27.
The issue with any law that has global reach is ensuring that law has teeth. How can a law defined in Strasbourg influence the actions of a company in San Diego, Seattle or South Bend? What’s to stop any US business doing whatever it likes with the personal data of EU citizens, especially if it doesn’t have a physical presence within the EU?
The answer is GDPR Article 27, which requires any business located outside the EU whose data processing activities fall within the scope of GDPR to appoint an EU representative within one of the EU member states in which it collects data.
This GDPR EU representative (who can be an individual or an organization) serves as a point of contact between the business, EU data subjects and supervisory authorities. If there’s a data breach or another issue that the regulators need to address, they deal with the GDPR rep and the rep deals with you.
If your business falls within the scope of GDPR (see below), yes. Failure to comply with any part of the GDPR could result in eye-watering fines of up to €20 million (just over $22m at time of writing) or 4% of global turnover, whichever is higher. Already, major US organizations including Meta, Google and Amazon have been hit with enormous sanctions. Meta alone was fined $1.3 billion.
Fortunately, it’s not difficult to comply with the GDPR when you follow these simple steps.
1. Determine if your business falls under the scope of GDPR
To recap, your organization falls within the scope of GDPR if, in the process of offering goods or services, it processes the personal data of people within the EU. It doesn’t matter whether you have received payment from the data subject for the goods, nor does the nationality of the individual matter. A US national living in Paris will be caught by GDPR in exactly the way as a Parisian native.
You also fall within the scope of GDPR if the data you process relates to monitoring behavior (rather than goods or services) which takes place in the EU.
The only exception here is where the data processing is occasional and minimal.
2. Appoint an EU GDPR representative
It’s important to appoint the right European representative for GDPR. That’s because your GDPR rep won’t simply ‘tick the box’ of compliance. You’ll need them to play an active role in protecting the European operations of your business.
In addition to being your point-person on the ground in the EU for contact with data subjects and authorities, the representative will help you keep records of your business’ data processing activities. They will help ensure you manage the day-to-day challenges of compliance, and they will alert you of any impending changes so that you stay compliant.
Find the right EU GDPR consultant for your business now!
3. Bring your GDPR rep up to speed
Give your EU representative for GDPR Article 27 a thorough understanding of your organization, its work and its data processing activities so they can carry out their role effectively.
4. Maintain comprehensive records
Your EU GDPR representative will help you document your data processing activities, including purposes, categories of data, data subject rights and data transfers, so you can make them available to supervisory authorities upon request.
5. Stay up to date with GDPR developments
Data protection law is still in its infancy. As new technologies like AI use data in new ways, its evolution is inevitable. That means it’s vital to have someone able to help you understand what those changes are and what they mean for your business. From an EU perspective, your GDPR rep will help do that.
No matter what else you do and no matter how in-depth your data protection measures are, if you fall under the scope of the EU GDPR at 1 above and haven’t yet appointed a GDPR EU representative, you’re not compliant.
You can put that right, right now.
Find the right EU GDPR consultant for you now, get data protection advice or, for questions about your next steps, call us on +1 303 317 5998.