Time’s up. As of May 25, 2018, the General Data Protection Regulation (GDPR) is in effect. It is the most comprehensive set of data-privacy laws to date. And it applies to you. Even though the GDPR is a European regulation and targets chiefly EU-based merchants, it will still profoundly impact companies and merchants in other countries. So it applies to you and your company. The upshot is that, if you have EU customers or just collect information from them, you had better understand GDPR compliance for US companies. At a minimum, you need to have a handle on GDPR basics for US companies.
Why Does a US Company Need to Prepare for GDPR?
The GDPR is an EU law, so why does a US company need to prepare for GDPR implications? To answer that, let’s first see exactly what it is.
Online collection and use of personal information began in the 1990s and has since become simply the norm for online businesses. Even after online data collection’s explosive growth and becoming a commonplace practice, most consumers are still unaware of the huge amount of personal information collected and exactly how it is used. And after several major data breaches involving Linked, MySpace, and Yahoo accounts and millions of users, it was plain some changes had to be made. The objective of the GDPR is to prevent similar problems and to give people some ownership and control of their personal data.
The express, stated purpose of the GDPR, then, is “to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals” – ultimately aiming to provide consumer rights for accessing information, to tighten data-management requirements for businesses, and to implement a system of fines for noncompliance (WIRED).
Besides striving to give consumers more control of collection and use of their personal information, the new law also has as its objective to hold businesses to higher standard of accountability in this respect. Again, according WIRED, “the ‘destruction, loss, alteration, unauthorised disclosure of, or access to’ people’s data has to be reported to a country’s data protection regulator . . . where it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more.”
Now, for US companies, the thing to note is that this does not apply only to companies and businesses located or doing business within the EU. “If your company sells products and/or services to people residing in the EU, or monitors the behavior of natural persons residing in the EU, regardless of where your company is located, then this regulation applies to your organization” (IBM).
And that’s why US companies need to prepare for GDRP compliance . . . because there are, in fact, GDPR requirements for US companies.
GDPR Overview for US Companies
So here’s a quick overview concerning GDPR compliance for US companies.
Two overarching points to keep firmly in mind concerning the GDPR obligation for US companies are laid out in a Forbes piece. First, “Article 3 of the GDPR says that if you collect personal data or behavioral information from someone in an EU country, your company is subject to the requirements of the GDPR,” but only if the person is actually “in the EU when the data is collected.” And, second, “a financial transaction doesn’t have to take place for the extended scope of the law to kick in. If the organization just collects ‘personal data’ . . . as part of a marketing survey, then the data would have to be protected GDPR-style.”
Further important points, according to IBM, are . . .
- “Personal data” is defined to include any and all information that could be used to identify a person (directly or indirectly) – for example, name, email address, social-media posts, photo, medical information, and computer IP address.
- A “data subject” is the person whose information is collected and is defined as “a natural person whose personal data is processed by a controller or processor.”
- Under the GDPR, data subjects are to have certain specified and enumerated rights, including the right to receive the information collected and to have it transferred to a different controller, the right to know how and for what purpose the information is being processed, and the right to have personal data erased or dissemination stopped.
- The data controller is required to provide a free copy of personal data if requested.
- Consent conditions provided to consumers must be easy to understand, and consent must be easy to withdraw.
- Noncompliance may incur significant fines.
GDPR Fines for US Companies
As we mentioned, one of the main points of the GDPR is a system of fines for noncompliance. It’s not exactly clear yet how the system of GDPR fines can and will be enforced and fines collected in countries outside the EU. But the fines are not insignificant.
Each EU member state must designate an authority for data protection in order to enforce the GDPR. In the case of a data breach or proven GDPR noncompliance, a business can be fined 20 million Euro (around US$23.5 million) or up to 4% of global annual revenue, whichever is greater. And a lower tier of fines could come into effect after a failed audit or simply failing to produce, for whatever reason, the appropriate and requested records for the designated enforcement authority. These second-tier fines cap at 10 million Euro (about US$11.8) or 2% of annual revenue.
To avoid these such fines that could threaten the survival of your business, it is generally recommended that you develop a GDPR compliance plan with the assistance of a third-party expert. Such a compliance and fine-avoidance plan should include these components:
- A complete, global current-state analysis of your systems
- An assessment for privacy impact and risk analysis
- A review of the breadth and accuracy of current documentation: system security, disaster recovery, and incident response
GDPR Requirements for US Companies
The GDPR requirements for US companies are pretty straightforward. Still, there are some size differences to be aware of because GDPR compliance for small US businesses is less extensive than for larger businesses.
Consent is one of the foundational aspects of the GDPR, so you have to ensure that you obtain user consent for every kind of collection and use of personal data in every instance. In addition, the means by which this consent is granted must be easy to understand and uncomplicated. You will, then, have to avoid using complex and lengthy Terms and Conditions, and you can’t use any pre-checked checkboxes. You also have to make it easy for users to withdraw consent with (preferably) the same interface used to grant it.
Opt-in boxes and sign-up forms on your website will have to changed. The forms will have to be such that users are explicitly agreeing to everything you intend to do with their data. You will also have to retain and store that personal data and everything about how it was collected for contingencies like a GDPR audit.
And if your company has more than 250 employees, you will have to have additional records and documentation. This includes documentation that details why and how the data is collected and processed, as well as descriptions of the data held and how long it is retained and your technical security measures.
Companies that collect, process, and monitor personal information on a large scale will have to employ a Data Protection Officer (DPO). This DPO will be responsible for monitoring GDPR compliance and reporting findings to senior management and officers.
GDPR Compliance Checklist for US Companies
To make this all a little easier to grasp at a glance, here’s a GDPR compliance checklist for US companies (taken largely from NG Data):
What you need to understand and see to . . .
- Specific impact on US companies
- Whether your company is affected by the GDPR
- Important GDPR articles
- Compliance requirements
- Due diligence requirements
- Pertinent legislation
- Valid consent
- Data Access
- Data governance
- Fines and penalties
- Best practices for employee training
Actions you may need to take . . .
- Map and classify all personal data
- Perform risk assessments
- Monitor compliance
- Document every activity around data
- Document everything needed to ensure compliance
- Hire dedicated data-protection officers
What Are US Firms Doing for GDPR
To ensure compliance, US firms are generally taking these steps:
- Determining whether they are a “controller” or a “processor” – While both are required to uphold data subjects’ rights, controllers and processors have slightly different requirements under the GDPR.
- Auditing data – Although time-consuming, this is an important step owing to the benefits. You can get an overview of exactly what data you have, why you have it, how long you’ll need it, and the process in place for deleting it.
- Figuring out which EU state is the relevant supervisory authority – Working the their legal teams and other GDPR experts, US firms should determine which EU member state has supervisory authority over them.
- Redesigning consent and disclosure options and forms – US firms are also working frantically to ensure these comply fully with GDPR requirements at every step – especially that they are easy and simple and obtain explicit consent.
- Reviewing third-party providers – US firms that use third-party providers – say, ecommerce businesses built on BigCommerce or Shopify – have to make sure those provider are also GDPR compliant. If you use a third-party provider that can’t prove GDPR compliance, then your they work they do for you gathering EU data is illegal.
- Hiring a DPO – Large companies collecting, processing, and using personal data on a large scale will need to retain a Data Protection Officer with the requisite expertise.
Sample GDPR Policy for US Company
A sample GDPR policy for US company will need to include the following essential elements (from The Compliance & Ethics Blog):
“Data Protection Policy – An essential guide to employees regarding how they may use data, how they can keep it secure, and the consequences of misuse. A good Data Protection Policy can prevent data breaches by helping employees understand how they are supposed to handle data.”
“Data Retention Policy – A statement explaining when data in documents (or data held electronically) should be deleted. This policy sets out the time limits for deleting different types of documents so that we can stay within the GDPR storage limitation principle found in Article 5 of the GDPR.”
“Data Breach Incident Policy – An emergency plan that tells your company what to do if a data breach occurs, how to form a team to deal with the breach, how to prevent any further loss of data and whether the company needs to tell customers and Regulators about the breach.”
Some ancillary elements are:
- “Big Data Policy – What you can and cannot do with Big Data under GDPR.
- Human Resources and Data Protection Policy – How to treat employee data.
- Marketing and Data Protection Policy – The rule book on sending customers offers and promotions.
- Social Media Policy – Explains what employees are allowed to post on social media, sometimes including on private accounts.
- Encryption Policy – How, when and why we encrypt data.
- Outsourcing Policy – What you need to do if you are sending data to a business partner.”
Compliance Costs for GDPR
What are the compliance costs for GDPR? Well, there are two ways to look at it. You could see it as fairly costly in terms of labor and technical adjustments. Or you could view is as very inexpensive and worth every penny if it helps you avoid the fines. So here’s how it works out.
The largest portion of the costs will be in auditing and classifying the held data, but this is a step that simply can’t be neglected. After the audit, there will be the cost of correcting or deleting data and of putting in place technical and procedural measures to reduce the possibility of future risk. And then for larger companies, there will be the cost of hiring a Data Protection Officer.
Although these may seem like significant costs, the cost of noncompliance is greater. Not only is there the 20 million Euro or 4% fine, but there may be other, greater intangible costs. If you are found noncompliant, your company’s image could be tarnished and reputation damaged. The crucial element of trust will be gone, and users won’t want to trust you with their information. And that could mean a huge cost in lost profits.
Simply put, ensuring GDPR compliance for US companies is now a cost of doing business.
Act Now for US GDPR Compliance
Doing everything possible to ensure GDPR compliance for US companies is now an absolute must – and a pretty urgent one for many of them. The team at Fingerprint Marketing can be that third-party expert you need to be compliant. After all, “Fingerprint Marketing was created from the vision that a client should be able to trust their digital design studio.” Contact us today for a free 15-minute consultation.