The General Data Protection Regulation (i.e. GDPR) is a data protection law that is binding for businesses operating within the European Union (EU) along with businesses operating outside the EU that provide goods or services to EU residents or monitor their behavior in any way. How does GDPR affect US companies? While the GDPR is a European Union regulation, it may nonetheless apply to American businesses that fall under any terms of the law.
Therefore, if your company provides software, other services or monitors the behavior of people living in Europe, you must comply with the GDPR in the US. In addition, if your US-based company processes the personal data of individuals in the EU on behalf of a data controller (someone paid you for such services), you may also be subject to the GDPR's requirements as a data processor. We break down on the terms a little further along.
In today's lush digital landscape, data privacy is a top concern for consumers. By prioritizing GDPR compliance for US companies, business-owners can distinguish themselves among competitors and gain a market advantage. It's vital that ambitious IT companies that value their future growth take USA GDPR requirements extra-seriously.
Controller and processor specifications
Your GDPR obligations will be determined by whether you are a Controller or a Processor.
The controllers set the goals and methods for processing personal data. Companies must put in place the necessary organizational and technical measures to ensure and confirm that personal data is processed in accordance with GDPR standards in the United States.
Processors manage personal data in line with written instructions from the Controller. Internal teams can take upon the role of processors keeping track of and maintaining personal data files. An outsourced organization could take up the mantle of a data processor, as well. The duties can be fully or partially delegated to them, depending on the project.
Data controllers must ensure that their data processors follow the GDPR regulations. A Data Processing Agreement (DPA) is a crucial aspect of this compliance practice since it specifies the data processor's obligations and duties.
The GDPR holds both Controllers and Processors liable for violations of its requirements. As a result, even if your data processing collaborator is exclusively to blame, both your company and your cloud provider are likely to face fines and other sanctions under the GDPR.
How to know if your company falls under GDPR
Is GDPR applicable in US? If you are unsure whether the EU data laws apply to your US business, simply answer the following questions to assess whether you must comply with the regulation.
Does your business process personal data?
The GDPR compliance in US only covers the processing of personal data. Personal data consists of anything that may be used to identify an individual (name, email address, or location). GDPR in the US may apply to your organization if it processes the personal data of EU residents.
Was your business established in the EU?
GDPR may apply to your US organization if it has an office, branch, or other property in the EU.
Does your business offer services to users in the EU?
The GDPR in the United States may apply to your company if it distributes software or services to EU citizens.
Does your business monitor the behavior of individuals in the EU?
GDPR compliance in US includes tracking people's online activities using cookies or other methods.
Do you handle information related to special data categories?
This covers physical and mental health information, racial or ethnic backgrounds, sexual orientation, and religious views.
GDPR requirements for US companies
If the answer to any of the aforementioned questions is “Yes”, you should take steps to ensure that your business complies with GDPR in the United States.
- Create a Data Protection Officer (DPO) position: if your company processes large amounts of personal data, it's a good idea to select a DPO to oversee GDPR compliance.
- Conduct a Data Protection Impact Assessment (DPIA): if your company processes personal data that is likely to result in a high risk to the rights and freedoms of individuals, you must conduct a DPIA to assess and mitigate those risks according to GDPR requirements for US companies.
- Establish data protection policies and procedures: to ensure that personal data is treated securely and lawfully, you should adopt data protection policies and procedures. This involves data retention policies, data subject rights, and data breaches.
- Get valid consent for data processing: before processing individuals' personal data, you must seek consent from them. Consent should be freely provided, explicit and informed.
- Provide data subject rights: the website users (buyers, visitors etc.) are entitled to access, update, destroy, and restrict the processing of their personal data. You must create a means for people to exercise their rights.
- Adopt data security measures: to ensure full protection of personal data, develop and implement the appropriate measures. This includes safeguards against data theft, disclosure, or loss of personal information.
- Establish data breach protocols: procedures for detecting, investigating, and reporting data breaches must be in place. Within 72 hours after becoming aware of a data breach, you must notify impacted users and the appropriate data security authorities.
- Determine vendor management procedures: If you involve third-party vendors to process personal data, you must implement vendor management procedures to ensure compliance with GDPR.
- Ensure employees are trained on GDPR law: It is important to train staff on GDPR compliance so that they understand their responsibilities and the GDPR's requirements.
- Maintain processing activity records, including the processing objectives, the categories of processed data, and the recipients of personal data.
How does GDPR affect US companies?
If a US-based business violates the General Data Protection Regulation (GDPR), it may be subject to significant fines and penalties. The GDPR imposes two tiers of administrative fines for non-compliance:
- Up to €10 million or 2% of the company's global annual revenue, whichever is higher, for violations related to data processing, data security, and record-keeping requirements.
- Up to €20 million or 4% of the company's global annual revenue, whichever is higher, for violations related to data subject rights, data breaches, and other serious infringements.
The payment for the damages will depend on the nature and severity of the violation, as well as other factors such as the size of the company and its previous compliance history.
Examples of GDPR-related fines
In January 2019, the French data protection authority, CNIL, fined Google €50 million ($56.8 million) for violating GDPR rules. The fine was issued for lack of transparency, incorrect information, and absence of valid consent regarding personalized advertising.
In December 2020, the Luxembourg data protection authority, CNPD, fined Amazon €746 million ($887 million) for violating GDPR rules. The fine was issued for processing personal data in violation of GDPR rules and failing to cooperate with the CNPD.
In addition to fines, companies may also be subject to other remedies, such as orders to cease certain processing activities, temporary or permanent bans on processing personal data, and the requirement to notify affected individuals in case of data breaches.
If a US-based business violates the GDPR, it may also face reputational damage and loss of business, as consumers are becoming increasingly aware of their data protection rights and may be less likely to trust a company that has violated their privacy.
As evidenced by the above, the GDPR has extraterritorial reach, which means that non-EU companies can still be subject to fines and penalties if they violate the regulation in relation to EU individuals’ personal data.
GDPR means professionalism
The GDPR establishes a legal structure for the collection and use of private data and allows individuals more control over their personal information. It requires businesses to install robust security measures, seek consent from individuals before processing their data, and follow strict data protection policies and procedures.
GDPR compliance demonstrates a company's dedication to professionalism and ethical business practices. Businesses that take data security seriously are more likely to be considered reliable and trustworthy partners, which is vital when outsourcing critical business tasks to a third-party source.
By selecting a GDPR-compliant outstaffing company, you may be confident that your hires' and company's personal data will be less likely to be abused, lost, or stolen, resulting in financial or reputational harm.
Our commitment to data security in tech recruitment and GDPR compliance are reflected in our annual GDPR-compliance audit, which demonstrates the dedication to information security management. Contact us via [email protected] to learn more and set off onto a secure business scaling journey.
FAQ
-
How many US companies are GDPR-compliant?
Because of GDPR applicability to US businesses, around 80% of US businesses taken precautions. A large proportion of these businesses, approximately 27%, invested more than $500,000 to secure GDPR compliance. Despite these measures, significant fines totaling more than €359 million have been levied under the GDPR legislation.
-
Do US companies need a data protection officer?
Does GDPR apply to US companies? Yes, if their principal activities entail large-scale processing of sensitive (personal) data or systematic monitoring of individuals. This means that business owners must employ a data protection officer (DP) to monitor GDPR compliance.
-
What is the difference between CCPA and GDPR?
CCPA and GDPR are both data privacy laws that ensure personal data security, although they differ in scope, definitions of personal data, individual rights, enforcement, and timeframe. While CCPA only applies to companies that collect personal information from California residents, GDPR focuses on data subjects in the EU and covers all businesses which collect personal information about EU individuals.
Stay in tune
Curated Tech HR buzz delivered to your inbox