GDPR Compliance for US Companies
What is GDPR?
The General Data Protection Regulations (GDPR) were introduced into EU law on May 25th 2018. The regulations were designed to give individuals in the EU control over their data by changing how the data can be collected, used, and stored by those who handle the information. GDPR has been cited as the biggest change to EU personal data laws since 1995. While the regulations appear to ostensibly only apply to companies within the EU, any organisation which handles data which has been collected within the EU are not exempt from the reaches of GDPR, regardless of the location of their headquarters.
It is important to note that the GDPR applies to people within the EU, but not necessarily to EU citizens. If an Irish person were travelling in the US and had their data collected there, then this exchange is not covered by GDPR. However, if a US citizen were travelling in Ireland and had their data collected in Ireland, then this exchange would be covered by GDPR. It is the location of the individual when the data is collected that is important, not their nationality or citizenship.
In this global society, a great deal of foreign companies deal with EU citizens without having any headquarters in an EU country. Many of these companies are based in the United States. These organisations, which include public agencies, governments, and businesses of all sizes, are therefore required to change their business practices if they still want to deal with customers inside the EU.
Although the United Kingdom is set to leave the EU following their 2016 referendum, GDPR was introduced to their laws in May 2018 along with the other member states. GDPR standards have already been incorporated into UK law, and they will remain as part of the law even when the UK is no longer in the EU.
Previous transatlantic data exchanges between the US and the EU was covered by the EU-US Privacy Shield. This framework covered exchanges of personal data for commercial purposes, and enabled US companies facile access to from EU entities. GDPR has a much wider scope than this EU-US Privacy Shield, and companies who are already compliant with the existing framework are still expected to update their business practices to comply with the new regulations.
How to ensure compliance with GDPR
A good place to start for many US companies is to take a comprehensive audit on their data. A report should be produced regarding the methods by which the data was obtained, for what purpose the data was collected, how the data is stored, and if the data is still needed by the company. This holistic report will allow for fully informed decisions to be made about the best routes for GDPR compliance.
In addition to auditing their own data, organisations in the US will be required to complete an audit of their service provider’s data storage and processing techniques. Organisations are responsible in ensuring that the third-party services they use are also GDPR-compliant. The blame for a violation cannot be shifted to the third-party, and organisations cannot claim ignorance as an excuse if the third-party is discovered to be non-compliant. A comprehensive review of a service-provider’s practices is essential in ensuring minimal risk to an organisation.
GDPR has different implications for organisations depending on how they handle data. There are two broad categories; data controllers, who determine the purpose and means of how customer data is processed, and data processors, who process personal data on behalf of the controllers. It is possible that an organisation may fall into both of these categories.
Under GDPR, data controllers are responsible for the actions of their data processors, and are liable if they are non-compliant with GDPR. Therefore, the onus is on data controllers to ensure that all business practices are up to standard. This becomes a particularly difficult problem for data controllers who work with more than one data processor, as the expenses increase rapidly. The contract between the controllers and processors should be very clear about how the data is handled, for what purposes it is to be used, and for how long it can be stored.
Some organisations that are covered by GDPR and have more than 250 employees are required to nominate a Data Protection Officer (DPO), who will oversee the security of any data that the organisation handles. Small businesses are generally not covered by GDPR, unless they handle certain types of data specified in Article 9. It is worthwhile for small businesses to hire a third-party expert to check whether or not the data they handle is covered by Article 9.
Under the GDPR, data breaches need to be reported within 72 hours of discovery. Organisations are expected to have a contingency plan in place to ensure that if a data breach were to occur, they can meet this strict deadline and enact damage control procedures.
One of the major changes that GDPR has introduced to data-collecting procedures is ensuring that customers give informed consent regarding the collection and use of their data. Consent forms may need to be redesigned to ensure that they comply with the new regulations. Consenting to data exchange is required to a separate act to consenting to other criteria, such as general terms and conditions. Furthermore, giving consent must be a deliberate act, so pre-checked consent boxes are no longer permitted. If consent had been acquired this way previously, then it must be reacquired if the organisation still wants to use the data.
Penalties for non-compliance with GDPR
Hefty penalties are levied against organisations that violate GDPR; either a fine of €20 million (around $23 million), or 4% of the company’s annual turnover-whichever is higher. Threatened with fines millions of dollars for a violation, US organisations are ensuring that they have the correct frameworks in place to ensure that they are fully GDPR compliant.
A recent survey conducted by PricewaterhouseCoopers (PwC) on multinational organisations based in the US indicates that over half of the respondents said that GDPR was their “top data protection priority”. Over three-quarters of the respondents said that their company will be spending in excess of $1 million to ensure that the proper framework is in place within their organisation so that they are GDPR compliant.
The financial burden of setting up new business practices and hiring legal experts to help with the complex regulations is small in comparison to the potential penalties for not doing so.
Only a few months after it came into effect, GDPR has already had wide-reaching impacts. While some experts complain about the financial and administrative burden it places on businesses, many hail it as a step forward for consumer rights. Although contentious, the effect of GDPR on US business practices is indisputable.