A Comprehensive GDPR ComplianceChecklist for US Companies

But first, let’s get into the GDPR requirements for US companies one by one to understand better how the GDPR affects your company and what you need to do for compliance.

Does the GDPR Apply to US Companies?

GDPR applies to US companies that interact with users in the European Union. Your business can be physically present somewhere other than Europe. It is enough to target European customers online to fall into the GDPR net. However, it only applies to some of your business operations.

Here’s how the GDPR would apply:

• When processing the personal information of US customers, it does not apply. You are not a European business, and your consumers are not European customers, so it does not apply;
• When processing data of EU residents and US consumers, it applies only to processing the data of EU citizens. It does not apply to the personal data processing of your US, Canadian, or Latin American customers.

So, the GDPR applies to US companies in many cases. Now let’s see how to become GDPR compliant and avoid the huge penalties by the supervisory authorities.

We’ll tackle each requirement one-by-one, and summarize it in the end as a checklist.

Records of processing activities

Every business needs to maintain records of processing activities (ROPA). This document outlines everything the company does with personal data. It includes all the data processing activities in the industry, from the moment of data collection to the moment of deletion.

Some of the information it contains:

• What categories of data are processed
• What is the legal basis for processing
• How the data is processed
• Why is the data processed?
• Where data is transferred
• For how long do you store personal data

It may also include other information. A data flow mapping exercise is an excellent introduction to ROPA. You’ll want a good overview of your data inventory to inform your ROPA.

You can read more about data mapping here.

Privacy policy

Many online businesses think that copying and pasting a privacy policy on their website is enough for GDPR compliance, but that’s far from true.

A privacy policy informs your consumers of all your data privacy practices. That information helps you meet the transparency requirements and disclose users’ consent to data processing.

A GDPR-compliant privacy policy must contain at least the following:

• Your identity as a data controller
• The categories of processed data, including any special categories of data
• Why do you process data?
• How you collect and process data
• With whom do you share users’ data, i.e., who are your data processors and service providers
• Where do you transfer personal data?
• For how long do you retain users’ data
• Details about data subject rights and how to exercise them

This is a partial list of the information that should be provided there. You can give as much information as possible, but this is the minimum.

Cookie Declaration

The cookie declaration can be part of the privacy policy or a separate document. Its purpose is to inform website visitors about the cookies your website uses.

In the cookie declaration, you must say what kinds of cookies you use and what they are for.

Consent Management and Cookie Banner

GDPR compliance requires asking users for consent to use cookies for data processing. The GDPR relies on the opt-in principle, meaning you can process personal data only if the user has opted in.

Consent is the only lawful basis of processing you can rely on when it comes to processing by cookies.

That’s why you need a cookie banner and a cookie management solution.

You must obtain explicit user consent, which is:

• Freely given
• Unambiguous
• Informed
• Specific, and
• Easily withdrawn.

The cookie banner usually comes with some text that serves as a privacy notice and buttons and links to help you meet all the requirements of the GDPR.

You can read more about obtaining cookie consent according to the GDPR.

Data Retention Policy

You must determine how long you’ll keep users’ data before deleting it from your servers. It could look like this:

• You’ll store users’ email addresses until they are unresponsive for six months;
• You’ll remove Google Analytics IP addresses and other data after two years;
• You’ll delete users’ phone numbers upon receiving customer support, etc.

You can either make a separate policy for keeping data or add it to your privacy policy.

Data Processing Agreements

A Data Processing Agreement (DPA) is the contract between you, as a data controller, and your data processors, i.e., service providers.

Because of a contract and written instructions, your data processor can only process personal data for you. That’s why you need a DPA with them.

The DPA can be a separate agreement or part of the Terms and Conditions.

Many SaaS companies include the DPA in their Terms and Conditions to ensure that when the customer signs up for the SaaS, they also permit the data processor to process personal data on their behalf.

You can read more about data processing agreements here.

International Data Transfers

As a US company, you must send personal information to the US for processing. However, moving data from EU member states to the United States is tricky from a legal standpoint.

You’ll need a legal basis for the data transfer. In many cases, it could be the execution of a contract. However, when it comes to marketing data, you’ll have little choice aside from asking for consent until the new EU-US data transfer agreement is enacted (Read about the New Data Transfer Agreement Between EU and US).

You can read more about international data transfers here.

Data Subject Requests

Your users, or “data subjects,” as the GDPR calls them, have the right to submit data subject requests to you, and you must respond to them.

Users have the right to know, access, correct data, delete data, object to profiling and automated decision-making, and other rights. When they submit requests about these rights, you’ll have a month to honor them—not responding leads to penalties.

A DSAR center or another method for receiving data subject requests is a good practice. But you have to answer any request you get, no matter how it comes to you: by email, contact form, phone, etc.

Read more about data subject requests here.

Data Protection Officer (DPO)

Some businesses, but not all, are required to appoint a Data Protection Officer (DPO). This requirement applies to companies that:

• Whose primary activities involve processing that necessitates regular and systematic large-scale monitoring of people or things?
• Are processing special categories of data or data related to criminal convictions and offenses on a large scale.

All others are not required to appoint one, but it is a good practice to have one.

You can learn more about the GDPR DPO here.

Legal Representative in the EU

A legal representative differs from a DPO, although the same person can act in both roles. US companies should think about getting a legal representative in the EU unless:

• The processing is only occasional
• The processing poses a low risk to the data protection rights of individuals, and
• The processing does not involve the large-scale use of special category or criminal offense data.

Check out this guide on legal representatives in the EU for non-EU companies to understand if you are required to appoint one.

Data Security and Data Breaches

The GDPR doesn't say exactly what steps to take to protect customer data. Still, it does require all businesses to take data security seriously and do their best, given their resources, to prevent customer data breaches.

Having a data security policy and implementing it is a good practice for all businesses, regardless of size. Companies that process lots of personal data must take it seriously as an obligation, not just a good practice. You need to safeguard your data not only because not doing so is punishable by law but also because it hurts your reputation and could destroy the trust you’ve built with customers.

The EU data protection authorities have detailed guidelines on responding to data breaches in this unfortunate scenario. You’ll be able to read more about that here.

Remember, you must report your data breaches to data protection authorities and, in many cases, to data subjects. Not all cyberattacks will cause personal data breaches that need to be reported, but when they do, notify the authorities. Not reporting data breaches means non-compliance with the GDPR and penalties.

Data Protection Impact Assessment (DPIA)

Data Protection Impact Assessment (DPIA) is a risk management tool that can save a lot of headaches further down the road. Most recent data privacy laws, including those of individual states in the United States, require some businesses to conduct a DPIA when processing personal data poses a high risk to the data subjects. The GDPR was the first data protection law to require it.

DPIAs include a data mapping exercise from data collection, data processing, and transfer down to data deletion. On top of that, it assesses the risks to personal data and the rights and freedoms of the data subjects at every step of the data processing. That will inform your data protection policies and help you comply with the GDPR.

Read this guide to learn more about DPIAs and determine if you need one. Then read this guide on completing it using three free DPIA templates.

Summary: A GDPR Compliance Checklist for US Companies

If you are overwhelmed with all this information, we’ve got you. GDPR requirements are not a walk in the park, although the myths around the internet assume that a privacy policy is enough for GDPR compliance.

To sum it all up, here is a summarized GDPR compliance checklist for US companies:

• Maintain records of processing activities
• Publish a privacy policy on your website
• Publish a cookie policy on your website
• Install a cookie banner on your website to obtain cookie consent
• Block cookies before getting the user’s consent
• Respond to data subject requests as soon as possible
• Appoint a DPO, if needed
• Appoint a legal representative in the EU, if required
• Ensure that your international data transfers are lawful
• Establish a data retention policy for each category of personal data
• Have data processing agreements in place with all your data processors
• Ensure that your data is secure
• Notify authorities and data subjects about data breaches
• Conducting a DPIA, even if not required by law, is a great practice