GDPR compliance checklist for US companies
The EU General Data Protection Regulation also requires companies outside the European Union to safeguard personal data. This GDPR compliance checklist covers tips specifically for US companies.
The GDPR is a European Union data privacy law that requires organizations to keep data safe, while also giving people more control over how their data are used. The law also includes the threat of large fines for non-compliance, which can reach 4% of global revenue or €20 million, depending on the severity and circumstances of the violation.
We have already provided a general compliance checklist that applies to all organizations. This GDPR compliance checklist for US companies broadly touches those issues but also focuses on some of the requirements unique to American organizations. We recommend US companies to consider both lists.
Why US companies must comply with the GDPR
The GDPR applies to companies outside the EU because it is extra-territorial in scope. Specifically, the law is designed not so much to regulate businesses as it is to protect the data subjects’ rights. A “data subject” is any person in the EU, including citizens, residents, and even, perhaps, visitors.
What this means in practice is that if you collect any personal data of people in the EU, you are required to comply with the GDPR. The data could be in the form of email addresses in a marketing list or the IP addresses of those who visit your website. (See our article explaining what is considered personal data under the GDPR.)
You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.
GDPR compliance checklist for US companies
- Conduct an information audit for EU personal data
Confirm that your organization needs to comply with the GDPR. First, determine what personal data you process and whether any of it belongs to people in the EU. If you do process such data, determine whether “the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.” Recital 23 can help you clarify whether your activities qualify as subject to the GDPR. If you are subject to the GDPR, continue to the next steps.
- Inform your customers why you’re processing their data
Consent is only one of the legal bases that can justify your use of other people’s personal data. You can find the other “lawfulness of processing” justifications in GDPR Article 6. If you choose to process data on the basis of consent, however, there are extra duties involved. Finally, Article 12 requires you to provide clear and transparent information about your activities to your data subjects. This likely will mean updating your privacy policy.
- Assess your data processing activities and improve protection
A data protection impact assessment will help you understand the risks to the security and privacy of the data you process and decide ways to mitigate those risks. Next, begin implementing data security practices, such as using end-to-end encryption and organizational safeguards, to limit your exposure to data breaches. When beginning new projects, you must follow the principle of “data protection by design and by default.”
- Make sure you have a data processing agreement with your vendors
You, as the data controller, will be held partly accountable for your third-party clients if they violate their GDPR obligations. So it’s important to have a data processing agreement that establishes the rights and responsibilities of each party. This includes your email vendor, cloud storage provider, and any other subcontractor that handles personal data. You can find a data processing agreement template here.
- Appoint a data protection officer (if necessary)
Many organizations (especially larger ones) are required to designate a data protection officer. The GDPR specifies some of the qualifications, duties and characteristics of this management-level position.
- Designate a representative in the European Union
Article 27 specifies which non-EU organizations are required to appoint a representative based in one of the EU member states. Recital 80 providers further details about this role.
- Know what to do if there is a data breach
Articles 33 and 34 lay out your duties in the event personal data is exposed, whether through a hack or any other kind of data breach. The use of strong encryption can mitigate your exposure to fines and reduce your notification obligations if there’s a data breach.
- Comply with cross-border transfer laws (if applicable)
As with previous EU regulations on the transfer of personal data to non-EU countries, GDPR Article 45 retains tough requirements for organizations wishing to do so. You may be required to self-certify under the Privacy Shield Framework.
By following these steps, along with the steps in our GDPR compliance checklist, you can help avoid drawing scrutiny from EU regulatory authorities. The information on this website provides many of the tools you will need, from the full text of the GDPR to several forms and templates.