GDPR requirements for US companies: what are key facts to remember?
Here are the seven most critical facts about the GDPR that US companies need to know.
Fact #1. The GDPR applies to organizations across the world.
Unlike the 1995 Data Protection Directive, which applied to the EU only, the GDPR applies to any organization inside or outside the EU that stores or processes the data of EU citizens and residents.
US companies that don’t have a presence in the EU will also have to ensure that all international transfers of sensitive data are carried out in accordance with the rules approved by the European Commission (Article 46). There are frameworks that provide some mechanisms for secure international data transfers — such as the EU-US Privacy Shield and its predecessor, the Safe Harbor framework — but they are not sufficient for GDPR compliance.
Fact #2. Fines for non-compliance are steep.
Fines for non-compliance in GDPR depend on the infraction, and can vary from 2–4% of the company’s annual worldwide turnover or €10-20 million, whichever is higher. The most serious infringements include accidental destruction, loss, change or transmission of personal data, as well as failure to demonstrate explicit consent for data processing.
These fines are substantially higher than those of any compliance standards familiar to US companies.
Fact #3. Explicit consent is required for data collection and use.
US companies are used to the fact that customers’ data is collected and processed by default. But Article 6 of the GDPR requires organization to get explicit agreement (consent) for the collection and use of an individual’s personal data. This is an absolutely new requirement that doesn’t appear in any of the compliance standards in the US.
To comply with this GDPR requirement, organizations must have documented evidence that consent was given, and that all requests for consent are clear and concise. This might create problems for several types of US companies, such as those that use direct marketing and rely on data analytics.
Fact #4. The GDPR introduces new concepts and roles.
Here are some terms that are either new for US companies or have a different meaning compared to other compliance standards:
- Personal data — Any information relating to a data subject, or a person who can be identified by his or her name, identification number, location or other factors. Compliance standards in the US generally protect only certain types of data that can be used to commit fraud or identity theft, such as first and last names, Social Security or National Insurance numbers, and ID card numbers. The GDPR’s definition of personal data is much wider; it includes biometric and genetic data, political opinions, trade union membership, ethnic origin and more.
- Data controller — A person, public authority, agency or other body that determines the purposes and means of the processing of personal data. Data controllers are tasked with demonstrating that processing is performed in accordance with the regulation.
- Data processor — A person, public authority, agency or other body that processes personal data on behalf of the data controller.
- Privacy by design and by default — Organizations need to take data privacy into account during the design stages of all projects and ensure that, by default, only the personal data necessary for each specific purpose is collected.
Fact #5. Data subjects have extended rights.
The GDPR guarantees a much wider range of rights for data subjects that will help individuals gain better control over their data. In particular, EU residents that consented to entrust their data to US-based companies will have the right to obtain information about whether their personal data is being processed (Article 15), transfer their personal data between service providers (Article 20) and object to the processing of their data (Article 21).
Fact #6. The GDPR guarantees the right to be forgotten (the right to erasure).
According to Article 17 of the GDPR, if an individual says that their personal data should no longer be processed, the data controller must immediately erase the data from all its systems or stop further dissemination of the data without delay. Although this is not a completely new requirement for US companies (it appeared earlier in the Safe Harbor framework), the right to erasure is one of the most important GDPR requirements and will have a significant impact on how US companies deal with personal data.
Fact #7. The GDPR has stringent rules about data breach notification.
According to Article 33, data controllers have to report a security breach to the supervisory authority no later than 72 hours after it is discovered. If a company fails to do so, it has to provide valid reasons for the delay.
This is significantly less time than mandated by any compliance standards that US companies are familiar with — HIPAA allows 60 days, and some standards, like SOX, don’t even specify an exact timeframe for breach notifications. According to the International Association of Privacy Professionals, the average timeframe for data breach notification in the US varies from 30 to 45 days.
What is GDPR impact on US companies?
The GDPR is designed to provide a unified and clear set of rules that enable stronger data protection in the digital age and help individuals gain better control of their personal information. Achieving compliance will require organizations in the US to completely change their cybersecurity mindset, update their security policies, and rethink the way they store and process customers’ sensitive data. But this is worth the effort. GDPR won’t kill you; it will actually make you stronger. You will get enhanced data security, improved data management and a competitive differentiation from organizations that lag behind in GDPR compliance. And you’ll be well prepared when the US passes its own regulations with similar requirements for consent, the right to be forgotten, data breach notification and so on.