I am an American business. Do I have to be GDPR compliant?

By Nigel Jones

Co Founder of The Privacy Compliance Hub

June 2018

If you are based in the United States, but your customers include residents of the European Union, you need to know about the General Data Protection Regulation (GDPR). The regulation came into force on 25 May 2018, setting in motion a new framework designed to give EU citizens greater control over their data and how that data is put to use.

For businesses, the GDPR brings in some important new obligations and requirements to ensure that EU citizens’ data rights are safeguarded. And it also includes a wide-reaching territorial clause – so whether your business is based in Austin or Amsterdam, the rules still apply.

Here’s a closer look at what the GDPR means for American firms and the steps you should take to stay on the right side of the law.

What the GDPR means for US businesses

Whatever your industry sector, it’s likely that you are already operating according to one or more data protection frameworks – (e.g. HIPAA for healthcare, GLB for financials and various state-level laws). So first off, some good news. Assuming that you already follow best practice on data protection, the GDPR probably isn’t going to demand a complete overall of your existing processes and practices.

That said, it would be wrong to assume that this new batch of EU rules is “basically the same” as the US model. Here are some of the key features of GDPR and how they differ to the American environment.

The definition of “personal data”

The GDPR is concerned with personal data and compared to many other jurisdictions, this is given a very wide definition. It includes any information that could identify a natural person, either in isolation or with other identifying information, directly or indirectly.

Significantly, it covers Web data such as cookies and location tags (so US-based e-commerce businesses should take note). B2B sellers should be aware that it also includes work emails where it’s possible to identify the recipient (e.g. Johnsmith@xcoltd).

Enhanced data rights

You won’t be able to charge an administration fee for responding to subject access rights under the GDPR. You should also read up on the new rules relating to seeking subject consent, the right to be forgotten and data portability.

Check out our short product walkthrough video for an understanding of how the hub works

Click here to watch

Security and breach reporting

In the US, the rules on breach reporting tend to differ from state to state. Depending on the nature of the breach, the reporting process can sometimes involve multiple governmental bodies, from state attorneys general offices through to federal agencies.

Compared to this, the reporting procedure under th GDPR is refreshingly streamlined. Broadly, if you suffer a breach that poses a risk to the rights and freedoms of individuals, you need to notify your lead data protection authority (we’ll come on to this shortly). And if it poses a high risk to those rights and freedoms, you should also notify the individuals concerned of the breach. You can read more about the GDPR rules surrounding data security here.

Direct liability for processors

Let’s say you carry out data processing activities (e.g. analysis or storage) on behalf of another company and this data includes the personal information of EU citizens. Previously, the EU essentially left it between you and your client to determine (via the contract) what happens if you suffer a security breach.

The GDPR changes this. It places a direct obligation on you to notify your client in the light of personal data breaches “without undue delay”. Failure to comply with this could expose you to a sanction (read more about sanctions here).

Special rules for non-EU established businesses

Some US companies will have a base of operations in the EU (e.g. a branch office). This office will bear the responsibility for ensuring that you comply with GDPR. Your lead reporting agency will be the one for the country where that office is based. As an example, if your European HQ is in Dublin, the regulator to report to (if required) will be Ireland’s Office of the Information Commissioner.

But what if you have no physical presence in Europe? Under these circumstances, you’re classed as a non-EU established business and under Article 27 GDPR, you may be required to appoint a local representative. This representative essentially acts as a liaison between you and the regulator.

Do you need to appoint a representative?

Broadly, if you control or process the data of individuals resident in the EU, you’ll need to appoint a representative if the following apply:

The processing of data is for the purposes of “offering goods or services”. Note that these offerings do not necessarily have to be offered for sale (so it could include the roll-out of a free personal organiser app, for instance).

That processing is not merely “occasional” and it is unlikely to result in a risk to the rights and freedoms of individuals.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

What next?

Here’s the upshot: unless the exemptions apply, US companies that do not have either a formal physical presence or an official representative within the EU are not permitted to process the personal data of EU citizens.

It remains to be seen just how vigorously regulatory authorities will seek to close down unauthorised operations from the US and elsewhere. But look at it this way: if you’re looking to build up a global presence, do you really want to take the risk of being labelled “unlawful”?

Right now, look carefully at the following:

  • Map your data estate. As a top priority, you’ll need to establish whether – and to what extent you are currently processing the personal information of EU residents.
  • Seek specific legal advice. In particular, whether or not processing activities would be deemed “occasional” and whether they affect the “rights and freedoms of individuals” can sometimes be a grey area. Likewise, you’ll need advice on precisely where to appoint your representative (if needed). Focus on an advisor with local knowledge of the EU framework.
  • Bookmark our resource centre. Regularly added to, it’s a handy source of practical information on all aspects of the new law.

Looking to make GDPR compliance easier? Featuring a full range of handy templates, The Privacy Compliance Hub comprises a complete solution for US companies wanting to keep on top of their requirements. Take a look at our demo or get in touch for a chat today.

More to watch and read