In May of 2018, the European Union enacted one of the world’s strictest set sets of rules for personal data protection. The formal name of this legislation is the General Data Protection Regulation, but it is more commonly known as the GDPR.
The GDPR regulates all personal data, which is defined as any information that can identify a living individual, or “data subject.” Affected companies must comply with data subjects’ wishes on how their personal data is processed, as well as keep records of how this processing occurs.
This article answers the question, does GDPR apply to US companies? Additionally, it covers the compliance requirements and specifics of GDPR enforcement that every US-based company should know:
- The EU versus the US: Applications of the GDPR and Related Laws
- What are the Most Important GDPR Requirements for US Companies?
- How Does GDPR Enforcement Affect US Companies?
The scope for personal data under this definition is significantly broader than most US compliance standards, which tend to only protect data that can be used to commit fraud. In addition to names and government ID numbers, the GDPR also protects information that can connect back to a person’s “physical, physiological, genetic, mental, economic, cultural or social identity.”
Geographic application of the GDPR is subject-specific, meaning that although the location of the data subject is considered in the regulations, the location of the company collecting the data is not. This means that companies need to comply with the GDPR if they collect data from people who reside in the EU.
The language of the GDPR specifically refers to “data subjects who are in the Union.” If an EU citizen is living in the US, the GDPR does not apply. This is an important distinction to take into account if all or nearly all of a company’s business takes place in brick-and-mortar locations on US soil.
That category encompasses more organizations than you might think. According to the research group Clutch.co, 36% of small businesses don’t have a website of any kind. As a result, it is much easier for these companies to determine whether they’re doing business with EU residents.
The GDPR only protects EU citizens if those citizens are living in the EU, but it also safeguards the information of any non-EU citizen living in the region. If a data subject is a US citizen living in an EU country when a company collects their information, the GDPR will apply to that data.
Many internet privacy regulations in the US offer similar protections. The California Privacy Protection Act (CalOPPA) and California Consumer Privacy Act (CCPA) control the collection of “personally identifiable information” from any person residing in the state of California. That includes any California residents who are EU citizens.
Likewise, the Children’s Online Privacy Protection Act (COPPA) regulates the collection, use and distribution of data belonging to any children under the age of 13 in the US. This applies to all children, regardless of their citizenship, so long as they are in the US when their information is collected.
CalOPPA, CCPA, and COPPA are three homegrown examples of how world legislative bodies protect their citizens. The GDPR works similarly.
Technically, the GDPR applies to all organizations, public and private, across the world. Practically speaking, however, only some US government agencies are likely to be affected. The GDPR controls the processing activities surrounding personal data only if that processing serves one of two purposes:
- Offering goods or services
- Monitoring subject behavior as it occurs within the European Union
Some federal agencies, including the Department of Homeland Security and the State Department, may have reason to collect personal data from EU citizens and use it to monitor behavior. However, most other government agencies, including those that collect data related to EU citizens’ business interests, are unlikely to be affected.
Non-governmental public agencies, meanwhile, may be in a different position. For instance, if a state tourism board collected data for the purpose of marketing themselves to EU citizens, or if a state college collected information about a potential student, the GDPR would apply.
The GDPR recognizes that some non-EU companies do business with EU citizens only on an incidental basis.
According to Recital 23, foreign companies are only required to comply with the Regulation if they target people living in the EU.
The general rule of thumb is this: if your company has an online presence but only advertises its products in English and lists its prices in US dollars, the European Commission would most likely assume that you are not targeting EU citizens and thus not required to abide by the GDPR.
That said, you may be held liable if any of the following conditions are true:
- The rights and freedoms of data subjects may be at risk
- You process these subjects’ data regularly
- You process information related to special data categories including health status, racial or ethnic origins, sexual orientation or religious beliefs
The GDPR also applies when a company targets EU residents with their marketing. If you have a localized website in the language of an EU member state and/or list prices in Euros, you would be assumed to be targeting EU citizens and would thus be subject to the GDPR.
The GDPR is a very detailed and comprehensive piece of legislation. Here’s what it means to be compliant.
Data breach notifications must be issued when a security breach leads to the accidental or unlawful disclosure, loss or alteration of personal data. Notifications are mandatory any time there is a potential risk to the rights and freedoms of data subjects, meaning that the risk could lead to negative consequences. If a company determines there that there is no such risk, that position must be supported by credible evidence.
If a data breach puts individuals’ personal rights and freedoms at risk and you are unable to contain those risks, all affected individuals must be notified.
Data processors that experience breaches must notify the relevant data controller. For instance, if you are a processor for a retail clothing firm, data privacy law mandates that you contact that firm as soon as a breach affects it.
You must also notify data protection authorities. If the breach affects people across multiple localities, you’ll need to notify the authority with the broadest jurisdiction.
Notifications should be sent as soon as possible. The legal deadline is 72 hours after you become aware of the breach.
Article 35 of the GDPR requires all companies to conduct impact assessments to evaluate potential data risk . There are four basic components to a data protection impact assessment:
- A description of processing operations
- An explanation of why the processing is taking place and why it is necessary
- A description of the measures being taken to mitigate risk and protect users’ privacy
- An account detailing risk versus benefit
The GDPR does not provide a specific structure for these assessments, but it does specify that data collection and processing must always “serve mankind,” indicating that the focus should be their benefit to data subjects.
Under the GDPR, companies must receive explicit consent in order to process personal data. A data subject must therefore agree not only to allow you to collect and store their data but also to have their data used in the way that you intend.
Data subjects have the right to withdraw consent for any purpose. If a customer decides that they no longer want to receive the targeted ads that you create using their data, you are required to remove the customer from your system.
The GDPR lists eight data subject rights that companies have an obligation to uphold. They are:
- The right to information about what happens to personal data
- The right to a copy of collected data and any supplementary information for context
- The right to have inaccurate data corrected
- The right to have personal data erased (under certain circumstances)
- The right to limit how data is used
- The right to receive a report of what data has been collected
- The right to order that data processing cease
- The right not to be subject to decisions made based on automated data processing
The European Commission recommends that every affected company have a data protection officer (DPO) on staff. You are required to have a DPO if any of the following conditions apply:
- You are a public authority that processes data protected by the GDPR
- Your primary activities include large-scale, systematic monitoring of data
- You process a “special category” of data
A DPO is any staff member who ensures that your company’s data protection strategy complies with the GDPR. To fill this role, you can hire a new staff member or appoint a DPO from within your existing staff. The DPO may have other duties, provided that they still have time to monitor GDPR compliance.
Once you’ve named a DPO, make sure that they have the resources necessary for monitoring GDPR compliance. A comprehensive checklist is ideal.
Also, if you don’t have a physical presence in the EU, you’ll need to appoint a representative in an EU country.
Unlike industry-specific US compliance regulations such as HIPAA for medicine and the GLBA for finance, the GDPR applies no matter where EU citizens’ data is processed or stored. That puts many US companies in the legislation’s purview.
When it comes to any data security regulations, it’s better to be safe than sorry. Make sure your data security policy supports compliance and look into naming a DPO. You’ll be glad you did.
What does the GDPR mean for US companies?
The GDPR regulates the collection and processing of personal data belonging to EU residents, even if the company itself is located in the US.
How does the GDPR affect US-based companies?
US companies must comply with the GDPR if they offer goods or services to EU residents in particular, or if they monitor the behavior of EU residents within the Union.
When is GDPR compliance necessary in the United States?
If a company collects personal data from EU residents for commercial purposes and does so on more than an occasional basis, they must be compliant with the GDPR .
What is personal data, according to GDPR, in the US?
Personal data is any information that can be connected with a person’s individual or social identity. That includes the person’s name, residence, job or religious affiliation.
What happens if US companies don’t follow GDPR?
Any company found to be in breach of the GDPR may be subject to fines of between €10 million and €20 million or up to 4% of the company’s annual revenue.
What organization has the enforcement authority to penalize non-compliant US companies?
The European Commission is the official regulating body for the GDPR. If a company is found to be in violation of these regulations but does not fall under Europe’s jurisdiction, the EC may collaborate with international governments to impose fines and penalties .