Do GDPR Regulations Apply to Businesses in the U.S.?
With the growth of the EU as an economic power, businesses in the United States are working to make headway into this lucrative commercial market. However, they are rapidly learning that the IT and data-driven practices standard in the U.S. will not stand in the GDPR-regulated European Union.
There are some basic preparations that any U.S. business must undertake even to consider getting ready for business in the EU.
GDPR and Territorial Scope
Per Article 3 of GDPR law, any company collecting information from a data subject resides in the European Union, regardless of the organization’s location.
The law defines two different types of organizations to which these laws apply to:
- Data Controllers: A data controller is an organization or individual that makes decisions and determinations about data collection. This includes making decisions about implementing IT infrastructure and business processes to collect information from a data subject within the EU. Data controllers can come in the form of traditional businesses as well as non-profit or government organizations.
- Data Processors: Data processors are organizations that handle data processing responsibilities for the controllers. These are most often third-party software or service providers.
Both parties are held under the jurisdiction of GDPR rules when collecting and processing consumer data in the EU. A controller, however, may not process user data–they only make decisions regarding that processing. As such, controllers and processors have slightly different responsibilities under GDPR. One of these, not least, is the assumption of controller accountability for third-party processors.
Furthermore, it’s quite common for a business to be both a controller and a processor. In such cases, this organization must adhere to the strict requirements of both categories.
GDPR and Data Collection Requirements
Generally speaking, however, if the organization or the data subject is within the EU, and/or the processing or collection of the data happens within the EU, then it is understood that the activity falls under GDPR.
This creates a few scenarios, depending on where that organization is:
- Data Subjects Within the EU: Any data collected from a data subject in the EU is governed by GDPR. Note that a “data subject” isn’t necessarily a citizen–if a U.S. citizen is living in the EU for work-related reasons, they are still protected.
- Data Subjects Outside of the EU: Non-EU citizens in territories outside of the EU are not covered by GDPR. However, EU citizens in other countries are protected by the concept of “extraterritoriality,” meaning that data collection from these individuals will fall under GDPR for legal purposes in the EU.
- Organizations Within the EU: A controller or processor within the EU is held accountable to GDPR laws and regulations for citizens of the EU. That is if there is any case where a controller or processor performs data activity within EU territory, that GDPR governs activity.
- Organizations Outside the EU: If an EU business operates partially outside of EU jurisdiction, data processing activities happen outside EU territory, and data processing does not include EU citizens, then it may not be subject to GDPR. For example, an EU company offering services in non-EU areas with local processors that handle data in those areas exclusively may not need to comply with GDPR.
How Can Companies in the U.S. Start Prepare for GDPR?
GDPR isn’t a law that snuck up on the business world. Many large enterprises have adjusted or at least begun the process–although that hasn’t been without its hiccups. However, these large enterprises are quick to learn, considering the steep costs of non-compliance.
With Europrivacy looking to be a significant step towards a global GDPR assessment standard, there really isn’t a reason for even small businesses operating partially in the EU to begin looking down the road on their compliance journey.
Whether you’re a large or small business, there are a few critical steps you need to take to start preparing for GDPR:
- Assess All Third-Party Relationships: Because your company may be a controller, a processor, or both, you must understand where your organization falls and how that impacts your compliance responsibilities. Furthermore, and make no mistake about this, your company will most likely be responsible for any compliance issues with your third-party processing vendors. If you’re a controller making data decisions and your processing partners break GDPR rules, you’ll be asked to account for the relationship. This means clearly understanding contracts, governance agreements, and so on.
- Audit Internal Processing: If you collect and process data from people in the EU, then you’re not getting around GDPR. Audit all your data processes that touch regulated data to assess how, or even if, they adhere to GDPR requirements. And this audit goes much deeper than you think–your company could be responsible for protecting PII in esoteric records like audit logs and internal monitoring reports.
- Audit Data Collection: The days of big-net data collection and shotgun-blast email marketing may be going the way of the dodo. Suppose you’re asking for personal information like email addresses within the EU, regardless of your company’s location. In that case, you must have disclosure and opt-in mechanisms in place. This includes even basic mechanisms you might take for granted, like collecting cookies on your public website.
- Audit Data Operations: Unlike the U.S., your ability to process information is limited by purpose and scope. That is, you cannot simply collect data and then use it as you will. You may only use it within clearly-defined and consented-to purposes. Also, you cannot freely sell or share that data with other parties without more consent. It’s best to understand how your business uses information and how that will change in an EU context.
- Understand Data Subject Rights: GDPR clearly defines data subject rights, including the right for data disclosure and the right to be forgotten. These rights are non-negotiable, as are the timeframes for which you must comply with any request. In preparing for GDPR compliance, you’ll need to assess your ability to disclose data to subjects, modify or delete that information, and perform any of these operations within 30-45 days.
Align Your Business with GDPR and Europrivacy with Lazarus Alliance
We’re peering into the future of regulations and compliance, and everywhere we see the GDPR as a major requirement for many large businesses. It’s simply not feasible to ignore what’s happening in the EU or how it impacts basic business practices like exchanging cookies or email information with EU citizens.
If you’re seeing the writing on the wall and aligning your IT and business with GDPR and Europrivacy, then we can help. We have extensive experience with GDPR compliance as well as some of the most rigorous standards and regulations from around the world.