Navigating GDPR for US Businesses: Common Questions and Expert Answers

The EU’s General Data Protection (GDPR) may be a European law, but if your business handles the data of EU residents, it affects you. That’s something that tends to raise questions among our US clients, so in this post we’ve put together some of the most frequent. We provides the answers.

Does GDPR apply to businesses in the United States?

It does if your business processes the personal data of individuals in the European Union. By ‘process’ we mean collecting, storing or using data for marketing or transactional purposes.

It’s important to note that GDPR (and the UK GDPR) apply to residents of the EU and UK. A US citizen living in London, Berlin or Paris would be protected by GDPR.

What constitutes ‘personal data’ under GDPR?

We tend to think of the obvious identifiers – name, email address, phone number etc – as personal data – and they are – but the definition of personal data is much broader.

It can be an IP address or location data, a cookie ID or your phone’s ID. Information that isn’t, in isolation, personal can become personal if it is combined with other data that enables identification.

This can make it difficult for US businesses to have confidence that their definition of personal data matches the definition of EU and UK regulators. That’s why having a GDPR consultant in your corner can be so valuable because they can help you understand where the GDPR applies and where it doesn’t.

How can US businesses obtain valid consent under GDPR?

If the data you hold meets the definition of ‘personal data’ then you must obtain valid consent from affected EU and UK data subjects.

What constitutes ‘valid’ is another potential minefield, and another reason to seek out the GDPR services of a consultant who can help ensure that you meet the requirements.

To be valid, consent must be freely given, specific, informed, and unambiguous.

In short, this means it should be clear what individuals are consenting to, and consent cannot be ‘bundled up’ with other elements that effectively entrap a data subject. You cannot, for example, require a data subject to give their consent to your sharing their data among all the companies in your group before they can proceed to an online checkout page.

Additionally, data subjects must have the option to withdraw their consent at any time.

What are the potential consequences of non-compliance with GDPR for US businesses?

Meta’s $1.3 billion fine, the largest yet awarded as a result of GDPR violation, tends to grab all the headlines, but many more US businesses have been hit with penalties. Depending on the nature and severity of the violation, businesses may face penalties of up to €20 million or 4% of their global annual revenue, whichever is higher.

Even lower-level infractions can attract a fine of €10 million or 2% of their global annual revenue.

What considerations affect US businesses regarding international data transfers under GDPR?

Data transfers attract specific treatment by GDPR. Only in countries which have pre-approved ‘data adequacy’ arrangements in place can you transfer data freely. Elsewhere, you must take additional steps such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules to ensure compliance and safeguard data.

Until recently, this was the case for the US, which did not have data adequacy provisions with the EU. That has changed, and on 10 July 2023 the EU and US did achieve a data adequacy agreement.

To benefit from the arrangement, you must join the list of organizations self-certifying as meeting the requirements of the Data Privacy Framework (DPF). There are, however, several steps US companies need to take to join the list.

These include publishing a DPF-compliant privacy statement, appointing a contact for DPF compliance and putting in place the resources and mechanisms to ensure data transfers take place securely.

This is a step forward on the often costly SCC procedure, but the DPF procedure is not simple. Once again, it helps to employ the services of a GDPR consultancy to ensure that you can meet your requirements.

How does GDPR affect US businesses’ data security practices?

In many ways, complying with GDPR ensures that you have data security measures in place that you and your customers would probably want to see implemented as a matter of course anyway.

Regardless of location, you will be expected to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. This includes measures like encryption, regular security assessments and incident response plans.

GDPR support services can give you assurance that the measures you are implementing are appropriate and effective.

What steps should US businesses take regarding data retention and deletion policies under GDPR?

One of the advantages of compliance with GDPR is that it ensures you put in place measures that will also help you comply with the growing volume of US data protection law, and help you meet good data protection standards.

One example of this is in the case of data retention. GDPR requires that businesses should only retain data for as long as necessary for the purposes for which the data was collected. They should then have clear policies in place for securely deleting data that is no longer needed.

A GDPR consultant can help ensure that your data retention and deletion practices are compliant and help protect your organization as well as data subjects.

Respecting customers’ rights

It’s easy for GDPR considerations to become centered on process and compliance, but it remains important to remember the real reason GDPR exists. By complying with GDPR, you help to protect the data of your customers. And in doing that, you help to build a trusted reputation for data security and responsibility that can help enhance customer loyalty and reduce business and reputational risk.

Explore how our GDPR services can support you now, get data protection advice or, for questions about your next steps, reach us at [email protected] or on our LinkedIn page.