GDPR Compliance in US: A Detailed Overview
The GDPR (General Data Protection Regulation) handles personal information, described as any data that can determine a person, called a "data subject." In addition, concerned organizations must comply with data subjects' desires on how their data gets processed and maintain records of how this process happens. Moreover, the GDPR intends to give EU citizens more authority over the personal data that organizations gather, approach and stock.
So if you own a company in the United States and wish to comply with the General Data Protection Regulation, it is best to hire a professional attorney who can help you with your GDPR compliance.
Does the General Data Protection Regulation (GDPR) Apply to US Citizens?
The GDPR (General Data Protection Regulation) protects the details of anyone in the EU (European Union). Thus, when a US resident lives in an EU (European Union) nation, the GDPR will apply to that information when a business gathers data.
In addition, the phrase "personal data" under the GDPR is especially more comprehensive than most US compliance regulations, which tend only to guard data used to perpetrate fraud. However, GDPR can apply to businesses running in the United States as it has an extraterritorial extent, indicating it can also apply outside the EU (European Union) i.e. the United States. And since the regulation is meant to guard European users, it can extend to foreign enterprises, too.
Still, numerous national and state-level privacy laws in the United States of America present similar protections. In addition, the California Consumer Privacy Act (CCPA) and California Privacy Protection Act (CalOPPA) govern the group of "personally identifiable data" from any individual living in the state of California (which comprises any California citizens who are EU residents).
Furthermore, the Children's Online Privacy Protection Act (COPPA) regulates the use, supply, and distribution of data belonging to any minor under the age of 13, regardless of nationality, so long as they stay in the US (United States) when their information is gathered.
What are the Most Crucial GDPR Prerequisites for US Businesses?
Any private or public sector business that supplies or processes personal data concerning EU (European Union) citizens must comply with the General Data Protection Regulation, even if it does not have a physical existence within the EU. The essential prerequisites are as follows:
- Controllers: They determine the objectives and standards of processing individual data. They must execute reasonable technical and administrative steps to ensure and confirm that personal data processing is performed following the General Data Protection Regulation.
- Processors: They regulate private information on the recorded instructions of a controller. In addition, processors can be internal bodies that keep and process individual data documents or an outsourcing company that fulfills all or part of those actions.
Besides, the GDPR holds both processors and controllers are accountable for breaches of its requirements. Thus, your business and a data processing associate, such as a cloud service provider, will be accountable for penalties and other liabilities under the GDPR, even if the blame is entirely on the part of your processing associate. So to ensure you never have to pay hefty penalties for non-compliance, you must hire a professional attorney who can help you remain fully compliant with the GDPR laws applicable in the US.
GDPR Compliance Rules for US Companies
For your US company to comply with the GDPR (General Data Protection Regulation), here are some steps they must follow:
- Maintain a Lawful Basis: The GDPR (General Data Protection Regulation) requires that you have at least one legal ground for processing individual data.
- Ensure it's Opt-in Permission: While United States regulations generally allow the processing and collecting of private data without the user's permission, the GDPR demands that you gather "freely shared, explicit, informed and unambiguous" consent through an evident "opt-in" action.
- Designate a Data Protection Officer (DPO): If a company is based outside the European Union, you may require a European agent to guarantee that your business complies with the GDPR. Nevertheless, a DPO (Data Protection Officer) appointment is optional.
- Maintain Unambiguous Documents/ Proof of Consent: The General Data Protection Regulation also offers users a specific privilege to withdraw permission. Therefore, it must be as effortless to withdraw permission as it is to share it. Since approval under the General Data Protection Regulation is a fundamental problem, you must register and maintain clear documents related to the license.
- Make Legally Mandated Disclosures Via your Privacy Regulation: This information should comprise who is processing the information, the user's rights regarding their data, and how they can use these privileges.
- Guarantee that you can Safely Transmit EU Data: Under the General Data Protection Regulation (GDPR), you can only transmit EU resident data beyond the European Economic Area when specific data protections are fulfilled.
Requirements for Data Processing Contracts in the United States
The General Data Protection Regulation mandates that processors and controllers document into a lawfully binding contract when a controller employs a processor to process private information on its behalf. In addition, controllers must only use processors that deliver adequate guarantees of appropriate technical and administrative steps to comply with the GDPR. These steps should remain outlined in the company's data security guidelines.
In addition, Article 28 of the GDPR describes what must be incorporated in a Data Processing Agreement between a data processor and data controller. Initially, it must comprise the following information:
- The subject matter, nature, duration, and objective of the data processing.
- Prerequisites and privileges of the controller.
- The kind of private data being processed.
- Classifications of data subjects whose confidential information is being processed.
Furthermore, the contract must comprise the following conditions:
- The processor handles all steps instructed by Article 32, including executing reasonable technological and administrative measures to guard confidential data from the controller.
- They will use private data obtained from the controller only on recorded instructions of the controller (unless mandated by law to process private data without such prerequisites).
- The processor guarantees that any individual processing private data is subject to the responsibility of confidentiality.
- Any sub-processors must comply with the same data protection prerequisites as the processor, and the processor stays directly accountable to the controller for the conduct of the sub-processors data protection provisions.
- They receive documented consent for any sub-processors the processor may hire to process the private data obtained from the controller. Moreover, if the controller delivers public written consent for hiring sub-processors, the controller must be entitled to object in advance to each person the processor offers to employ.
- The processor helps the controller by executing reasonable technological and administrative efforts to reply to requests from data issues under the GDPR.
Moreover, when your US-based organization is a part of a global corporation established in the European Union, and you regularly obtain data from your EU companions about EU residents, you are subject to regulations that control these data transmissions between nations.
Conclusion
In a nutshell, unlike industry-specific United States compliance laws like GLBA for finance or HIPAA for medicine, the GDPR is a public data privacy law that applies to all companies, public and private, that gather or process the private data of EU citizens. That implies many US businesses are also subject to the GDPR law.
At ContractsCounsel, we are a team of expert legal professionals, and our team of competent attorneys can help you remain compliant with all the GDPR statutes applicable to US companies. So why wait? Call our professional lawyers today and make your business fully GDPR compliant.