The General Data Protection Regulation (GDPR) is European legislation that protects data privacy and gives individuals more control over how their data is to be used.
Organizations that fail to comply may be subject to massive fines, including either up to $24 million or 4% of their global revenue.
US companies must comply with this law whenever they collect data from citizens of EU member states.
The law is extra-territorial in scope, which means it applies to companies based in America and business activities that are, or arguably are conducted in America. (It would depend on how an international digital interaction is seen.)
Though this approach might seem to be outside the EU’s jurisdiction, countries commonly enforce such laws through mutual assistance treaties.
The question is also directly addressed by GDPR’s Article 50. Thus far, the measure has held up in court, and it hasn’t been subjected to any severe legal challenge.
As a general counsel attorney, we are pleased to offer your US company the following checklist to help you conform to this law.
The very first thing your organization must do is to conduct an audit of its activities. You must determine whether you collect the data of citizens of EU members, and what data you are collecting if so.
Then you must ascertain whether your data processing is “related to offering goods or services to such data subjects irrespective of whether connected to a payment.”
If your company is processing data in this way, you must inform the individuals whose data you are collecting and elicit their consent.
2. Assess Data Policies
Your organization will need to run a data protection impact assessment in order to understand the security risks it faces protecting individuals’ data.
You will then have to design organizational safeguards and implement security solutions such as an end to end encryption. When launching new projects, your organization must abide by the principle of “data protection by design and default.”
Your company must set up a data processing agreement with such vendors as email providers and payment processors.
The agreement should clearly delineate the rights and responsibilities of each party in handling personal data. If you fail to do so, you can be held partially liable.
4. Responsible Personnel
Many companies, especially larger firms, have found it necessary to appoint a data protection officer to their upper management.
The GDPR further stipulates that certain organizations will need to appoint a representative in the EU. This requirement is laid out and elaborated upon in article 27.
5. Data Breaches
Companies that do experience data breaches are required to report them without undue delay to the regulatory authorities. This should be done within 72 hours.
If the particular data that was breached is of an extremely sensitive nature, and thus would “result in a high risk to the rights and freedoms of natural persons,” your company must communicate with the victims of the breach directly.
Your company would not have to do this, however, if the data were heavily encrypted, or if some other security measure prevented attackers from accessing records. If telling people involved “disproportionate effort” there would have to be a general public communication.
If a company fails to take any of these steps, they may be ordered to do so by the regulatory authority.
6. Transfer Out Of EU
Any transfer of data out of the EU must remain in strict compliance with the GDPR’s Article 45. Your firm might need to self-certify under the Privacy Shield Framework set up through a joint effort of the US and EU governments.