A Comprehensive GDPR Compliance Checklist for US Companies
The EU’s General Data Protection Regulation (GDPR) affects US companies, too. That’s why you need to learn more about it and get at least the GDPR compliance checklist for US companies at the end of this article. But first, let’s get into the GDPR requirements for US companies one by one to understand better how the GDPR affects your company and what you need to do for compliance.
The EU’s General Data Protection Regulation (GDPR) affects US companies, too. That’s why you need to learn more about it and get at least the GDPR compliance checklist for US companies at the end of this article.
But first, let’s get into the GDPR requirements for US companies one by one to understand better how the GDPR affects your company and what you need to do for compliance.
Does the GDPR Apply to US Companies?
GDPR applies to US companies that interact with users in the European Union. Your business can be physically present somewhere other than Europe. It is enough to target European customers online to fall into the GDPR net. However, it only applies to some of your business operations.
Here’s how the GDPR would apply:
- When processing the personal information of US customers, it does not apply. You are not a European business, and your consumers are not European customers, so it does not apply;
- When processing data of EU residents and US consumers, it applies only to processing the data of EU citizens. It does not apply to the personal data processing of your US, Canadian, or Latin American customers.
So, the GDPR applies to US companies in many cases. Now let’s see how to become GDPR compliant and avoid the huge penalties by the supervisory authorities.
We’ll tackle each requirement one-by-one, and summarize it in the end as a checklist.
Records of processing activities
Every business needs to maintain records of processing activities (ROPA). This document outlines everything the company does with personal data. It includes all the data processing activities in the industry, from the moment of data collection to the moment of deletion.
Some of the information it contains:
- What categories of data are processed
- What is the legal basis for processing
- How the data is processed
- Why is the data processed?
- Where data is transferred
- For how long do you store personal data
It may also include other information. A data flow mapping exercise is an excellent introduction to ROPA. You’ll want a good overview of your data inventory to inform your ROPA.
- Your identity as a data controller
- The categories of processed data, including any special categories of data
- Why do you process data?
- How you collect and process data
- With whom do you share users’ data, i.e., who are your data processors and service providers
- Where do you transfer personal data?
- For how long do you retain users’ data
- Details about data subject rights and how to exercise them
This is a partial list of the information that should be provided there. You can give as much information as possible, but this is the minimum.
In the cookie declaration, you must say what kinds of cookies you use and what they are for.
Consent Management and Cookie Banner
Consent is the only lawful basis of processing you can rely on when it comes to processing by cookies.
That’s why you need a cookie banner and a cookie management solution.
You must obtain explicit user consent, which is:
- Freely given
- Specific, and
- Easily withdrawn.
The cookie banner usually comes with some text that serves as a privacy notice and buttons and links to help you meet all the requirements of the GDPR.
Data Retention Policy
You must determine how long you’ll keep users’ data before deleting it from your servers. It could look like this:
- You’ll store users’ email addresses until they are unresponsive for six months;
- You’ll remove Google Analytics IP addresses and other data after two years;
- You’ll delete users’ phone numbers upon receiving customer support, etc.
Data Processing Agreements
A Data Processing Agreement (DPA) is the contract between you, as a data controller, and your data processors, i.e., service providers.
Because of a contract and written instructions, your data processor can only process personal data for you. That’s why you need a DPA with them.
The DPA can be a separate agreement or part of the Terms and Conditions.
Many SaaS companies include the DPA in their Terms and Conditions to ensure that when the customer signs up for the SaaS, they also permit the data processor to process personal data on their behalf.
International Data Transfers
As a US company, you must send personal information to the US for processing. However, moving data from EU member states to the United States is tricky from a legal standpoint.
You’ll need a legal basis for the data transfer. In many cases, it could be the execution of a contract. However, when it comes to marketing data, you’ll have little choice aside from asking for consent until the new EU-US data transfer agreement is enacted (Read about the New Data Transfer Agreement Between EU and US).
Data Subject Requests
Your users, or “data subjects,” as the GDPR calls them, have the right to submit data subject requests to you, and you must respond to them.
Users have the right to know, access, correct data, delete data, object to profiling and automated decision-making, and other rights. When they submit requests about these rights, you’ll have a month to honor them—not responding leads to penalties.
A DSAR center or another method for receiving data subject requests is a good practice. But you have to answer any request you get, no matter how it comes to you: by email, contact form, phone, etc.
Data Protection Officer (DPO)
Some businesses, but not all, are required to appoint a Data Protection Officer (DPO). This requirement applies to companies that:
- Whose primary activities involve processing that necessitates regular and systematic large-scale monitoring of people or things?
- Are processing special categories of data or data related to criminal convictions and offenses on a large scale.
All others are not required to appoint one, but it is a good practice to have one.
Legal Representative in the EU
A legal representative differs from a DPO, although the same person can act in both roles. US companies should think about getting a legal representative in the EU unless:
- The processing is only occasional
- The processing poses a low risk to the data protection rights of individuals, and
- The processing does not involve the large-scale use of special category or criminal offense data.
Check out this guide on legal representatives in the EU for non-EU companies to understand if you are required to appoint one.
Data Security and Data Breaches
The GDPR doesn't say exactly what steps to take to protect customer data. Still, it does require all businesses to take data security seriously and do their best, given their resources, to prevent customer data breaches.
Having a data security policy and implementing it is a good practice for all businesses, regardless of size. Companies that process lots of personal data must take it seriously as an obligation, not just a good practice. You need to safeguard your data not only because not doing so is punishable by law but also because it hurts your reputation and could destroy the trust you’ve built with customers.
The EU data protection authorities have detailed guidelines on responding to data breaches in this unfortunate scenario. You’ll be able to read more about that here.
Remember, you must report your data breaches to data protection authorities and, in many cases, to data subjects. Not all cyberattacks will cause personal data breaches that need to be reported, but when they do, notify the authorities. Not reporting data breaches means non-compliance with the GDPR and penalties.
Data Protection Impact Assessment (DPIA)
Data Protection Impact Assessment (DPIA) is a risk management tool that can save a lot of headaches further down the road. Most recent data privacy laws, including those of individual states in the United States, require some businesses to conduct a DPIA when processing personal data poses a high risk to the data subjects. The GDPR was the first data protection law to require it.
DPIAs include a data mapping exercise from data collection, data processing, and transfer down to data deletion. On top of that, it assesses the risks to personal data and the rights and freedoms of the data subjects at every step of the data processing. That will inform your data protection policies and help you comply with the GDPR.
Summary: A GDPR Compliance Checklist for US Companies
To sum it all up, here is a summarized GDPR compliance checklist for US companies:
- Maintain records of processing activities
- Install a cookie banner on your website to obtain cookie consent
- Block cookies before getting the user’s consent
- Respond to data subject requests as soon as possible
- Appoint a DPO, if needed
- Appoint a legal representative in the EU, if required
- Ensure that your international data transfers are lawful
- Establish a data retention policy for each category of personal data
- Have data processing agreements in place with all your data processors
- Ensure that your data is secure
- Notify authorities and data subjects about data breaches
- Conducting a DPIA, even if not required by law, is a great practice
India's Data Sharing Agreement: A Comprehensive Guide to Data Protection and Non-Disclosure Agreements under India Digital Personal Data Protection Act
Explore the intricacies of data sharing in India, focusing on compliance with the Digital Personal Data Protection Act 2023 (DPDPA). Learn about the importance of Data Sharing Agreements (DSAs) and discover key elements, best practices, and legal considerations for businesses. Ensure responsible and ethical data sharing while mitigating legal risks with this comprehensive guide.
- India DPDPA
Understanding the Colorado Privacy Act (CPA) and Its Implications for Data Privacy
Explore the key provisions of the Colorado Privacy Act (CPA) and learn how businesses can achieve compliance in 2024. Discover the implications, requirements, and consumer rights outlined in this comprehensive privacy legislation, signed by Governor Jared Polis in 2021 and enforced from July 2023.
Understanding the Difference: Clickwrap Agreement vs. Browsewrap Agreement, and Enforceability of Terms and Conditions
Discover the ins and outs of clickwrap and browsewrap agreements in our comprehensive blog post. Learn their impact on user experience, enforceability under data privacy regulations, and how to choose the right agreement for your website. Clickwrap vs. browsewrap compared, including advantages, disadvantages, and crucial legal considerations.
- Data Protection