In the age of targeted ads and biometric authentication, the matter of data privacy became more relevant than ever before. It forced governments to enact laws regulating the unstoppable process of data collection and sharing, e.g. GDPR. Plenty of businesses around the globe were made to review their approach to doing business when this set of rules came into full force in 2018.
From my experience of working with American IT product firms, I see that legal compliance is the priority for most entrepreneurs. However, many confusions arise when companies face General Data Protection Regulation in the USA. Business leaders start asking whether this regulation can tremendously affect US enterprises, what should an IT enterprise do to comply with GDPR, and how crucial is it for American companies. Let me dispel all your doubts by answering these questions.
How Does GDPR Apply to US Companies
In essence, the General Data Protection Regulation is referred to as a legal term that indicates a set of rules created to secure the personal information of EU citizens. It deals with the transferrable data going into the hands of organizations, and the aim of GDPR is mainly to lay down the rules for handling the individual data related to the establishments of the organizations in Europe. The document is designed to guarantee the rights of subjects, as well as give them more power over the information that businesses collect, process, and store about them. It also focuses on the complications of transferring personal information externally from the EU and the European Economic Area.
Although the document was drafted for EU members, it also covers the external activity of European enterprises that often take place in the US. So, American entrepreneurs should take care of their European divisions and watch the law. In this article, you’ll learn how to apply the European regulation to non-European companies and whether American tech businesses should worry about this when expanding offshore.
Is GDPR applicable to American organizations? Yes, it applies to both private and public firms worldwide. All companies that use the information of data subjects located in the European Union undergo this regulation. Previously, there existed a similar document called the 1995 European Union Data Protection Directive which was then replaced by the new GDPR. The former had little impact on firms outside the Union, but when the GDPR took effect on May 25, 2018, it made a significant change in the territorial scope of the law. Thus, today many US-based companies are subject to this regulation, for example, if they offer goods or services to individuals located in the EU and compile or otherwise process any data from European customers. Moreover, American organizations must comply with the GDPR whether they have employees or offices within the EU or not.
Does GDPR apply to US citizens? It could. For instance, if a company aims to use the personal data of a US citizen who is living in an EU country, the GDPR comes into force. Although the GDPR does not affect American citizens living in the United States, there are other similar privacy regulations such as the California Online Privacy Protection Act (CalOPPA) and the California Consumer Privacy Act (CCPA).
Each year more and more companies make efforts to follow all the necessary guidelines and implement best practices to become GDPR compliant. Data Protection authorities and attorneys usually detect violations through dissatisfied clients, former employees, bloggers, or media, etc. Such incidents can dramatically deteriorate the brand image. Conversely, the ethical behavior of an enterprise serves as a differentiator, boosts employer branding, and attracts new clients. Sooner or later, every business that strives to succeed should review and reorder such fundamental processes as data collection.
What is more, the consequences of non-compliance can ruin your budget due to significant fines. The GDPR penalties for US companies are based on the annual worldwide turnover of the preceding financial year and are calculated as 4% or €20 million (whichever is greater). Similarly, for less crucial infringements the fine is 2% or €10 million.
Even large IT corporations are not protected from being sued in case they fail to comply. To illustrate that, let’s have a look at the biggest GDPR fines for US companies so far. In July 2021 Amazon was slapped with a record-breaking €746 million penalty by Luxembourg’s National Commission for Data Protection (CNPD) for misusing customer data for targeted advertising. The enterprise outpaced other tech giants. In 2019 Google was fined €50 million by French DPA for not obtaining user consent to process data for ad personalization. Whatsapp was also hit recently with a €225 million penalty by Irish DPC. In this case, the main accusations were related to a range of transparency infringements.
GDPR Compliance Checklist for US Companies
I’ve prepared a detailed guide along with GDPR requirements for US companies – a checklist that will help you become fully compliant. Let’s start!
– Define the role your company performs under GDPR
In relation to certain information, your firm could be a data controller, data processor, or both. General Data Protection Regulation imposes more liabilities on the role of the data controller, as it determines the purposes and means of processing personal data. On the other hand, a data processor is responsible for processing personal information in accordance with the instructions of the controller. Having defined the role, the company will understand what specific duties are imposed on it under GDPR.
– Decide where are you going to transfer personal data
There are no additional rules if the data is being transmitted to the EU States or other countries that are able to guarantee a decent level of data protection (aside from compliance with local legislation that may apply in a particular country where the data is processed). However, if a non-EU country doesn’t have an appropriate level of data protection (as defined by the European Commission), the controller has to provide extra warranties for information security. For example, it could be done by signing standard contractual clauses with the data recipient.
– Conduct an audit of internal documentation
– Check the technical side of data protection
The company should implement appropriate technical measures to become GDPR compliant and minimize the risks of data leakage. Businesses need to set up their internal systems to enable secure data encryption, access controls, regular backups, intrusion prevention, and detection. Cybersecurity also implies the presence of software installation policy, software update policy, and equipment upgrade policy.
– Check the organizational side of information security
It’s important to make sure that data processing is organized in accordance with basic protection principles (e.g. data minimization, data protection by design and by default, etc.). In addition to that, GDPR for American companies also implies that in certain cases – for example, if a business processes huge volumes of personal data that reveals race, ethnicity, state of health, political, religious, or philosophical beliefs, it has to conduct a Data Protection Impact Assessment. This is an inventory of all activities that comprise the gathering, storage, and erasure of personal information. Such an assessment helps to understand how confidential the information really is – and what risks specific data subjects will face in case of a security breach. What is more, certain enterprises are also expected to recruit a Data Protection Officer (DPO) who will monitor the enforcement of GDPR rules by the company.
Are You Interested in Business Process Outsourcing?
We Provide a Turnkey Solution
The GDPR compliance for US companies might seem complicated at first glance but Alcor has a turnkey solution that will help you run a fully legal business in Ukraine. Our BPO company provides a full set of legal support for American IT product companies and GDPR is no exception. We’ll handle the development of privacy and data processing policies in accordance with GDPR requirements. Alternatively, we are ready to review the finalized documents and make an analysis of the activities in your offshore development center for its compliance with GDPR provisions.
Our legal services are praised by People.ai – a software product company that owns a platform for B2B sales acceleration. The client was looking for ways to expand its development team abroad, so our recruitment department successfully hired 25+ developers with rare skills, while the finance team took care of transparent accounting and payroll. In just 4 weeks we found a perfect office location and established all back-office operations. If you consider launching your own R&D center in Ukraine as well, choose Alcor as a reliable partner.
Let’s summarize the main points about GDPR for US companies. USA businesses must comply with General Data Protection Regulation in case they offer goods or services to people in the European Union, monitor their behavior, or process personal data as a part of activities of their establishment in the EU. In order to avoid hazardous litigation and tremendous penalties for non-compliance, business owners should take action to meet the GDPR requirements for US companies. I advise you to start by defining the role of your company under GDPR and the location of the data recipient. After that, conduct an audit of internal documents, plus check the technical and organizational sides of data protection.
Reach out to Alcor in case you need customized legal assistance for doing an IT business in Ukraine. You’ll receive a team of professional lawyers with international experience, proven expertise in the tech field, and strong government relations. In addition to providing a full set of IT compliance support, we can cover all other time-consuming tasks, including recruitment, real estate services, HR payroll and accounting. Use all these BPO services to set up your software R&D center and forget about operational headaches.