The EU’s General Data Protection Regulation (GDPR) affects US companies, too. That’s why you need to learn more about it and get at least the GDPR compliance checklist for US companies at the end of this article. But first, let’s get into the GDPR requirements for US companies one by one to understand better how the GDPR affects your company and what you need to do for compliance.
The EU’s General Data Protection Regulation (GDPR) affects US companies, too. That’s why you need to learn more about it and get at least the GDPR compliance checklist for US companies at the end of this article.
But first, let’s get into the GDPR requirements for US companies one by one to understand better how the GDPR affects your company and what you need to do for compliance.
Explore more privacy compliance insights and best practices
GDPR applies to US companies that interact with users in the European Union. Your business can be physically present somewhere other than Europe. It is enough to target European customers online to fall into the GDPR net. However, it only applies to some of your business operations.
Here’s how the GDPR would apply:
So, the GDPR applies to US companies in many cases. Now let’s see how to become GDPR compliant and avoid the huge penalties by the supervisory authorities.
We’ll tackle each requirement one-by-one, and summarize it in the end as a checklist.
Every business needs to maintain records of processing activities (ROPA). This document outlines everything the company does with personal data. It includes all the data processing activities in the industry, from the moment of data collection to the moment of deletion.
Some of the information it contains:
It may also include other information. A data flow mapping exercise is an excellent introduction to ROPA. You’ll want a good overview of your data inventory to inform your ROPA.
You can read more about data mapping here.
Many online businesses think that copying and pasting a privacy policy on their website is enough for GDPR compliance, but that’s far from true.
A privacy policy informs your consumers of all your data privacy practices. That information helps you meet the transparency requirements and disclose users’ consent to data processing.
A GDPR-compliant privacy policy must contain at least the following:
This is a partial list of the information that should be provided there. You can give as much information as possible, but this is the minimum.
The cookie declaration can be part of the privacy policy or a separate document. Its purpose is to inform website visitors about the cookies your website uses.
In the cookie declaration, you must say what kinds of cookies you use and what they are for.
GDPR compliance requires asking users for consent to use cookies for data processing. The GDPR relies on the opt-in principle, meaning you can process personal data only if the user has opted in.
Consent is the only lawful basis of processing you can rely on when it comes to processing by cookies.
That’s why you need a cookie banner and a cookie management solution.
You must obtain explicit user consent, which is:
The cookie banner usually comes with some text that serves as a privacy notice and buttons and links to help you meet all the requirements of the GDPR.
You can read more about obtaining cookie consent according to the GDPR.
You must determine how long you’ll keep users’ data before deleting it from your servers. It could look like this:
You can either make a separate policy for keeping data or add it to your privacy policy.
A Data Processing Agreement (DPA) is the contract between you, as a data controller, and your data processors, i.e., service providers.
Because of a contract and written instructions, your data processor can only process personal data for you. That’s why you need a DPA with them.
The DPA can be a separate agreement or part of the Terms and Conditions.
Many SaaS companies include the DPA in their Terms and Conditions to ensure that when the customer signs up for the SaaS, they also permit the data processor to process personal data on their behalf.
You can read more about data processing agreements here.
As a US company, you must send personal information to the US for processing. However, moving data from EU member states to the United States is tricky from a legal standpoint.
You’ll need a legal basis for the data transfer. In many cases, it could be the execution of a contract. However, when it comes to marketing data, you’ll have little choice aside from asking for consent until the new EU-US data transfer agreement is enacted (Read about the New Data Transfer Agreement Between EU and US).
You can read more about international data transfers here.
Your users, or “data subjects,” as the GDPR calls them, have the right to submit data subject requests to you, and you must respond to them.
Users have the right to know, access, correct data, delete data, object to profiling and automated decision-making, and other rights. When they submit requests about these rights, you’ll have a month to honor them—not responding leads to penalties.
A DSAR center or another method for receiving data subject requests is a good practice. But you have to answer any request you get, no matter how it comes to you: by email, contact form, phone, etc.
Read more about data subject requests here.
Some businesses, but not all, are required to appoint a Data Protection Officer (DPO). This requirement applies to companies that:
All others are not required to appoint one, but it is a good practice to have one.
You can learn more about the GDPR DPO here.
A legal representative differs from a DPO, although the same person can act in both roles. US companies should think about getting a legal representative in the EU unless:
Check out this guide on legal representatives in the EU for non-EU companies to understand if you are required to appoint one.
The GDPR doesn't say exactly what steps to take to protect customer data. Still, it does require all businesses to take data security seriously and do their best, given their resources, to prevent customer data breaches.
Having a data security policy and implementing it is a good practice for all businesses, regardless of size. Companies that process lots of personal data must take it seriously as an obligation, not just a good practice. You need to safeguard your data not only because not doing so is punishable by law but also because it hurts your reputation and could destroy the trust you’ve built with customers.
The EU data protection authorities have detailed guidelines on responding to data breaches in this unfortunate scenario. You’ll be able to read more about that here.
Remember, you must report your data breaches to data protection authorities and, in many cases, to data subjects. Not all cyberattacks will cause personal data breaches that need to be reported, but when they do, notify the authorities. Not reporting data breaches means non-compliance with the GDPR and penalties.
Data Protection Impact Assessment (DPIA) is a risk management tool that can save a lot of headaches further down the road. Most recent data privacy laws, including those of individual states in the United States, require some businesses to conduct a DPIA when processing personal data poses a high risk to the data subjects. The GDPR was the first data protection law to require it.
DPIAs include a data mapping exercise from data collection, data processing, and transfer down to data deletion. On top of that, it assesses the risks to personal data and the rights and freedoms of the data subjects at every step of the data processing. That will inform your data protection policies and help you comply with the GDPR.
Read this guide to learn more about DPIAs and determine if you need one. Then read this guide on completing it using three free DPIA templates.
If you are overwhelmed with all this information, we’ve got you. GDPR requirements are not a walk in the park, although the myths around the internet assume that a privacy policy is enough for GDPR compliance.
To sum it all up, here is a summarized GDPR compliance checklist for US companies:
