US Companies and GDPR
Why US companies must comply with the GDPR
The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.
What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website.
You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.
GDPR compliance checklist for US companies
- Conduct an information audit for EU personal data
Confirm that your organization needs to comply with the GDPR. First, determine what personal data you process and whether any of it belongs to people in the EU. If you do process such data, determine whether “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” Recital 23 can help you clarify whether your activities qualify as subject to the GDPR. If you are subject to the GDPR, continue to the next steps.
- Inform your customers why you’re processing their data
- Assess your data processing activities and improve protection
A data protection impact assessment will help you understand the risks to the security and privacy of the data you process and decide ways to mitigate those risks. Next, begin implementing data security practices, such as using end-to-end encryption and organizational safeguards, to limit your exposure to data breaches. When beginning new projects, you must follow the principle of “data protection by design and by default.”
- Make sure you have a data processing agreement with your vendors
You, as the data controller, will be held partly accountable for your third-party clients if they violate their GDPR obligations. So it’s important to have a data processing agreement that establishes the rights and responsibilities of each party. This includes your email vendor, cloud storage provider, and any other subcontractor that handles personal data.
- Appoint a data protection officer (if necessary)
Many organizations (especially larger ones) are required to designate a data protection officer . The GDPR specifies some of the qualifications, duties and characteristics of this management-level position.
- Designate a representative in the European Union
Article 27 specifies which non-EU organizations are required to appoint a representative based in one of the EU member states. Recital 80 providers further details about this role.
- Know what to do if there is a data breach
Articles 33 and 34 lay out your duties in the event personal data is exposed, whether through a hack or any other kind of data breach. The use of strong encryption can mitigate your exposure to fines and reduce your notification obligations if there’s a data breach.
- Comply with cross-border transfer laws (if applicable)
As with previous EU regulations on the transfer of personal data to non-EU countries, GDPR Article 45 retains tough requirements for organizations wishing to do so. You may be required to self-certify under the Privacy Shield Framework.
By following these steps, along with the steps in our GDPR compliance checklist, you can help avoid drawing scrutiny from EU regulatory authorities.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As your Article 27 Representative we will always help if you receive a SAR, RTE, or other data prot
We have said this previously but we are still seeing a huge number of Subject Access Requests [
Summary: The Right to Be Forgotten is one of the fundamental rights defined in GDPR. Also