In May of 2018, the European Union enacted one of the world’s strictest set of rules for personal data protection. The formal name of this legislation is the General Data Protection Regulation, but it is more commonly known as the GDPR.
The GDPR regulates personal data, which is defined as any information that can identify an individual, called a “data subject.” Affected companies must comply with data subjects’ wishes on how their personal data is processed, as well as keep records of how this processing occurs.
This article answers the question, when and how does the GDPR apply to US companies and US citizens? It covers the act’s core requirements and the specifics of GDPR enforcement that every US-based company should know.
The scope for personal data under this definition is significantly broader than most US compliance standards, which tend to only protect data that can be used to commit fraud. In addition to names and government ID numbers, the GDPR also protects information that can connect back to a person’s “physical, physiological, genetic, mental, economic, cultural or social identity.”
The GDPR is designed to give EU citizens more control over the personal data that organizations collect, process and store about them. The scope of the term “personal data” under the GDPR is significantly broader than most US compliance laws, which tend to only protect data that can be used to commit fraud. In addition to names and government ID numbers, the GDPR also protects information that can connect back to a person’s “physical, physiological, genetic, mental, economic, cultural or social identity,” such as their IP address and browser cookie data.
No. The GDPR specifically refers to “data subjects who are in the Union.” If an EU citizen is living in the US, the GDPR does not apply. This is an important distinction to be considered if all or nearly all of a company’s business takes place in brick-and-mortar locations on US soil.
That category encompasses more organizations than you might think. According to the research group Clutch.co, 36% of small businesses don’t have a website of any kind. As a result, it is much easier for these companies to determine whether they’re doing business with EU residents.
It can. The GDPR safeguards the information of anyone living in the EU. Therefore, if a US citizen is living in an EU country when a company collects information about that, the GDPR will apply to that data.
The GDPR does not apply to US citizens living in the US, but there are several federal and state-level privacy regulations in the US that offer some similar protections. In particular, the California Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA) control the collection of “personally identifiable information” from any person residing in the state of California (which includes any California residents who are EU citizens).
Likewise, the Children’s Online Privacy Protection Act (COPPA) regulates the collection, use and distribution of data belonging to any child under the age of 13, regardless of citizenship, so long as they are in the US when their information is collected.
Unlike industry-specific US compliance regulations like HIPAA for medicine and GLBA for finance, the GDPR is a general data privacy regulation that applies to all organizations, public and private, that store or process the personal data of EU residents. That means many US companies are subject to the regulation.
However, the GDPR recognizes that some non-EU companies do business with EU citizens only on an incidental basis. According to Recital 23, foreign companies are required to comply with the GDPR only if they target EU residents with their marketing. For instance, if you have a localized website in the language of an EU member state and/or list prices in Euros, you would be assumed to be targeting EU citizens and therefore would be subject to the GDPR.
In general, you may be held liable if any of the following conditions are true:
- You process the data of EU residents regularly.
- The rights and freedoms of those data subjects may be at risk.
- You process information related to special data categories, including health status, racial or ethnic origins, sexual orientation, or religious beliefs.
Technically, the GDPR applies to all organizations, public and private, across the world. Practically speaking, however, only some US government agencies are likely to
The GDPR controls the processing activities surrounding personal data only if that processing serves one of two purposes:
- Offering goods or services
- Monitoring a data subject’s behavior as it occurs within the European Union
Therefore, many public-sector organizations are not subject to the GDPR. Some federal agencies, including the Department of Homeland Security and the State Department, may have reason to collect personal data from EU citizens and use it to monitor behavior. Similarly, if a state tourism board collected data for the purpose of marketing themselves to EU citizens, or if a state college collected information about a prospective student, the GDPR would apply. But most other government agencies, including those that collect data related to EU citizens’ business interests, are unlikely to be subject to the GDPR
Any organization, in either the private or public sector, that stores or processes personal information about EU residents must comply with the GDPR, even if it does not have a physical presence within the EU. The most important requirements are explained below.
Requirements for controllers and processors
GDPR requirements depend on whether you are acting as a Controller or a Processor:
- Controllers define the purposes and means of the processing of personal data. They must implement appropriate technical and organizational measures to ensure and demonstrate that processing of personal data is performed in accordance with the GDPR.
- Processors handle personal data on the documented instructions of a Controller. Processors can be internal groups that maintain and process personal data records, or an outsourcing firm that performs all or part of those activities.
The GDPR holds both Controllers and Processors liable for violations of its provisions. Therefore, it’s possible that both your company and a data processing partner, such as a cloud provider, will be liable for fines and other penalties under the GDPR, even if the fault is entirely on the part of your processing partner.
Requirements for data processing contracts
The GDPR requires that Controllers and Processors enter into a legally binding contract when a Controller engages a Processor to process personal data on its behalf. Controllers are required to use only Processors that provide sufficient guarantees of having appropriate technical and organizational measures in place to comply with the GDPR. These measures should be detailed in the organization’s data security policy.
Article 28 details what must be included in a Data Processing Contract between a data controller and a data processor. First, it must include the following details:
- The subject matter, duration, nature and purpose of the data processing
- The type of personal data being processed
- The categories of data subjects whose personal data is being processed
- The requirements and rights of the Controller
In addition, the contract must contain the following provisions:
- The Processor will process personal data received from the Controller only on documented instructions of the Controller (unless required by law to process personal data without such instructions).
- The Processor ensures that any person processing personal data is subject to a duty of confidentiality.
- The Processor takes all measures required by Article 32, including implementing appropriate technical and organizational measures to protect personal data received from the Controller.
- The Processor obtains written authorization for any sub-processors the Processor may engage to process the personal data received from the Controller. If the Controller provides a general written authorization for engaging sub-processors, the Controller must be given the opportunity to object in advance to each individual sub-processor the Processor proposes to engage.
- Any sub-processors engaged by the Processor are subject to the same data protection requirements as the Processor and that the Processor remains directly liable to the Controller for the performance of a sub-processor’s data protection requirements.
- The Processor supports the Controller by implementing appropriate technical and organizational measures to respond to requests from data subjects under the GDPR.
- The Processor supports the Controller to ensure compliance with GDPR requirements for the security of data processing (Article 32), notification of data breaches (Articles 33 and 34) and data protection impact assessments (Articles 35 and 36).
- At the end of the data processing by the Processor and on the Controller’s instruction, the Processor deletes or returns the personal data received from the Controller.
- The Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 and that the Processor allows for and contributes to audits conducted by the Controller or a third party on the Controller’s behalf.
There are other provisions that Controllers and Processors may want to include in a Data Processing Contract on a case-by-case basis but which are not mandatory under the GDPR, such as:
- Liability provisions (including indemnities)
- Detailed (technical) security provisions
- Additional cooperation provisions between the Controller and Processor
Rules for multinational companies
If your US-based company is a part of a multinational company established in the EU and you regularly receive data from your EU counterparts about EU citizens, you are subject to rules that regulate these data transfers between countries. These Binding Corporate Rules (BCRs) are specified in Article 29 and provide a framework for multinational companies to transfer personal data from the European Economic Area (EEA) to their affiliates located outside of the EEA in legal compliance with the 8th data protection principle and Article 25 of Directive 95/46/EC.
Rules for data breach notification
Data breach notifications must be issued when a security breach leads to the accidental or unlawful disclosure, loss or alteration of personal data. The GDPR data privacy law mandates that if a data breach puts individuals’ personal rights and freedoms at risk and you are unable to contain those risks, all affected individuals must be notified. If a company determines that there is no such risk, that position must be supported by credible evidence. Data processors that experience breaches must also notify the relevant data controller. You must also notify data protection authorities; if the breach affects people across multiple localities, you’ll need to notify the authority with the broadest jurisdiction. A regulator is not going to say that you shouldn’t have had a breach. They are going to say you should have the policies, procedures, and response structure in place to solve for that quickly.
Although the legal deadline to report a breach is 72 hours, do not wait until the last hour to do it; make a report as soon as you become aware of a breach, and advise the regulator that you are putting your response process in place and that you will provide updates.
Requirement for data protection impact assessments
Article 35 of the GDPR requires all companies to conduct data protection impact assessments (DPIAs) to evaluate potential data risk and to demonstrate how the data flows through the organization. There are four basic components to a data protection impact assessment:
- A description of processing operations
- An explanation of why the processing is taking place and why it is necessary
- A description of the measures being taken to mitigate risk and protect users’ privacy
- An account detailing risk versus benefit
The GDPR does not provide a specific structure for these assessments, but it does specify that data collection and processing must always “serve mankind,” indicating that the focus should be their benefit to data subjects.
Consent for data processing
Under the GDPR, companies must receive explicit consent in order to process personal data: Each data subject must agree not only to allow you to collect and store their data, but also to have their data used in the way that you intend.
Data subjects have the right to withdraw consent for any purpose. If a customer decides that they no longer want to receive the targeted ads that you create using their data, you are required to remove the customer from your system.
Protection of data subject rights
The GDPR lists eight data subject rights that companies have an obligation to uphold. They are:
- The right to information about what happens to personal data
- The right to a copy of collected data and any supplementary information for context
- The right to have inaccurate data corrected
- The right to have personal data erased (under certain circumstances)
- The right to limit how data is used
- The right to receive a report of what data has been collected
- The right to order that data processing cease
- The right not to be subject to decisions made based on automated data processing
Appointment of personnel
The European Commission recommends that every affected company have a data protection officer (DPO) on staff. You are required to have a DPO if any of the following conditions apply:
- You are a public authority that processes data protected by the GDPR.
- Your primary activities include large-scale, systematic monitoring of data.
- You process a special category of data, such as health status, racial or ethnic origins, sexual orientation, or religious beliefs.
Even when the GDPR does not specifically require the appointment of a DPO, organizations may sometimes find it useful to designate a DPO on a voluntary basis. DPO is a cornerstone of accountability, and appointing a DPO can demonstrate and facilitate compliance, giving a competitive advantage to businesses by demonstrating how ethical your organization is. The Article 29 Data Protection Working Party (‘WP29’) encourages these voluntary efforts. (This group includes representatives from the data protection authorities of each EU member state and issues guidelines for complying with the requirements of the GDPR, such as appointment of DPOs.)
A DPO can be any staff member who ensures that your company’s data protection strategy complies with the GDPR. If you don’t have a physical presence in the EU, you’ll need to appoint a representative in an EU country. The DPO may have other duties, provided that they still have time to monitor GDPR compliance.
Once you’ve named a DPO or hired someone new to fill the role, make sure they know what they need to do and have the resources necessary to do it. A comprehensive checklist is ideal. In addition to tasks like facilitating DPIAs and carrying out audits, DPOs act as intermediaries between stakeholders, such as supervisory authorities, data subjects, and business units within an organization.
Note that DPOs are not personally responsible in the case of non-compliance with the GDPR. Article 24 makes it clear that it is the Controller or Processor who is required to ensure and to be able to demonstrate that the processing is performed in accordance with GDPR provisions.
The best way to achieve GDPR compliance is to take a top-down approach, thinking about the key goals and then determining which technical controls to choose to achieve those goals. There are three key things to keep in mind when you’re looking to ensure the security of regulated data:
The GDPR emphasizes a risk-based approach to data protection and the security of your processing systems and services. You must identify and assess your risks, and then take appropriate measures to manage them based upon factors such as:
- The technology available
- The cost of implementing tools and processes
- The nature, scope, context and purpose of processing
- The severity and likelihood of the risks
- The personal data you process
- The systems that process that data
Where data processing is likely to result in a high risk to the rights and freedoms of individuals, you must undertake a DPIA to establish the impact of the intended processing on the protection of personal data and identify the technical and organisational measures necessary to mitigate risk. If those measures do not reduce the risk to an acceptable level, you need to consult with your data regulatory authority before you start the processing.
You also need to put appropriate data protection and information security policies and processes in place. Ensure that you maintain records of processing activities and, if required, appoint a Data Protection Officer.
Help your staff to manage personal data securely by providing relevant awareness education as well as training in the proper use of your systems and tools. For instance, staff must be competent so that they do not inadvertently process personal data (e.g., by sending it to the incorrect recipient).
What does the GDPR mean for US companies?
The GDPR regulates the collection and processing of personal data belonging to EU residents, even if the company itself is located in the US.
How does the GDPR affect US-based companies?
US companies must comply with the GDPR if they offer goods or services to EU residents in particular, or if they monitor the behavior of EU residents within the Union.
When is GDPR compliance necessary in the United States?
If a company collects personal data from EU residents for commercial purposes and does so on more than an occasional basis, they must be compliant with the GDPR .
What is personal data, according to GDPR, in the US?
Personal data is any information that can be connected with a person’s individual or social identity. That includes the person’s name, residence, job or religious affiliation.
What happens if US companies don’t follow GDPR?
Any company found to be in breach of the GDPR may be subject to fines of between €10 million and €20 million or up to 4% of the company’s annual revenue.
What organization has the enforcement authority to penalize non-compliant US companies?
The European Commission is the official regulating body for the GDPR. If a company is found to be in violation of these regulations but does not fall under Europe’s jurisdiction, the EC may collaborate with international governments to impose fines and penalties.