Unraveling GDPR: GDPR Compliance Checklist for U.S. Companies (Part 2)
As businesses rapidly turn digital, it is incredibly easier to interact globally and engage using customers’ data. GDPR’s data privacy regulations serve as the ultimate guardrail for U.S. businesses involved in trans-Atlantic data transfers and the data processing and monitoring activities of its EU and EEA customers. However, the learning curve is not steep. Almost 32% of U.S. companies have a Data Protection Officer (DPO), and 27% spend over half a million towards GDPR compliance. And yet, the highest GDPR fine of €1.2 billion was charged to the U.S.-based company Meta. It’s about time we prescribe maintaining a comprehensible GDPR compliance checklist for U.S. companies.
In part 1 of this blog, we covered GDPR’s Article 3 to discuss the extraterritorial scope of the regulation that requires companies in the U.S. which are:
- Located in the U.S., but it offers goods and services to customers in the EU and EEA.
- Process data from data subjects or individuals in the EU and EEA.
- Monitor user behaviors using website cookies or IP addresses.
Before we discuss the GDPR compliance checklist for U.S. companies, let’s review some of the essential terms used in the regulation manual.
Commonly Used Terms in GDPR Provisions
GDPR is a compilation of several laws on individuals’ rights to digital privacy and holds businesses responsible for protecting data subjects’ personal data. According to Article 4(1), personal data are information that belongs to an identified or identifiable natural person that includes and are not limited to:
- Personal Identification Information (PII): PII includes individual’s names, email addresses, phone numbers, or website users.
- Personal Information: Personal information refers to a view on politics, religion, sexual orientation, ethnicity, or any kind of ideological convictions.
- Healthcare Information: Data such as patient name, test results, email and contact information, genetic history, healthcare history, and care provider records in written or electronic form are classified as healthcare information.
- Biometric Data: Includes individual’s fingerprints, facial patterns, voice, and typing cadence.
- Web Data: Users’ names, IP addresses, browsing history, online activities, credit card or online payment information, email addresses, and more come under the web data.
To illustrate better, let’s consider a fictitious marketing firm, XYZ registered and in Illinois, U.S. with a global presence. XYZ also targets consumers in the EU and EEA markets. Under GDPR’s extraterritorial scope, XYZ automatically falls under the GDPR jurisdictions.
- Data Protection Authority: Every EU member state has a Supervisory Authority (SA), also called the Data Protection Authority, that oversees GDPR duties within the territory. In the case of the marketing firm XYZ, if an EU or EEA user files a GDPR complaint against the company, then the DPA of the member state will monitor and manage its cross-border data processing activities.
- Processing Activities: Under GDPR’s Article 4, processing refers to any operations or set of operations performed by a company on personal data or personal data sets, whether or not with automation. Processing includes collection, recording, structuring, storing, structuring, adaptation, usage, retrieval, consultation, restriction, destruction, or eradication. If XYZ collates demographic data of target customers from the EU for analysis to assist in marketing research and campaigns, the effort can be classified as data processing.
- Data Controller: A controller can be a natural or legal person, public authority, or any entity that, independently or jointly with others, rules the purposes and means of processing the personal data as per criteria determined by the Union or Member State Law. The firm, XYZ is a data controller for managing the personal data processing activities of EU customers.
- Data Processor: A processor is any natural or legal entity, public authority, agency or other entity that processes data on behalf of the data controller. If XYZ appoints an external agency, ABC, to process its EU users’ data on its behalf, then GDPR identifies ABC as a data processor.
- Third-Party: If the data controller or processor legally authorizes any other natural, legal entity like a public authority, agency, or body to process personal data, then they are called third-party organizations or entities. Legally speaking, XYZ and ABC can appoint a third-party state agency to process personal data of their EU users.
- Consent: Consent of the data subjects or users refers to any freely given, specific, informed and explicit authorization by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to the data subject.
To avoid hefty fines and legal outcomes from GDPR enforcement decisions like Meta, TikTok Limited, WhatsApp, Google LLC, and others, here’s what XYZ must to prepare for GDPR in the U.S.
GDPR Compliance Checklist for U.S. Companies
- EU Personal Data Audit: Companies must start with an internal personal data audit to assess if any of it belongs to EU users. In the case of XYZ, the marketing agency that already processes such data of its EU users will conduct an audit to determine whether its ‘processing activities are related to offering goods or services to data subjects irrespective of whether connected to a payment.’ Refer to GDPR’s Recital 23 to assess if your processing activities would come under GDPR’s provisions.
- Seeking Data Subject’s Consent: No business or entity is legally authorized to use or process others’ personal data without the data subjects’ consent. If XYZ processes personal data without a users’ consent, the firm is subject to additional duties. As per Article 12, XYZ must provide clear and transparent information about its data processing activities to all the data subjects and update its existing privacy policy. To understand more about the lawfulness of processing activities, refer to the GDPR Article 6d.
- Conducting Data Protection Impact Assessment (DPIA): DPIA is mandatory to understand the risks associated with the organizations’ personally identifiable information (PII) processing activities. DPIA tests also help decide risk prevention strategies to demonstrate compliance.
- Enhancing Data Protection: Revelations from DPIA tests help determine gaps in data privacy and protection approaches to enhance data security practices like end-to-end encryption and organizational safeguards to prevent data breaches. XYZ would be required to follow and adopt “data protection by design and by default” principle.
- Data Processing Agreements with Vendors: As a data controller, every company will be held partly liable for GDPR violations by third-party clients. With a data processing agreement, it becomes easy to define the rights and responsibilities of all stakeholders and third parties such as an email vendor, cloud services provider, and any other subcontractor that handles personal data. To maintain GDPR compliance, XYZ can use the data processing agreement template
- Appointing DPO (If Required): It doesn’t matter whether you are a data controller or data processor; any organization engaged in large-scale sensitive data processing activities must appoint a DPO. Since XYZ processes PII or personal data of its data subjects residing in EU, assuming as a marketing agency, they deal with a wide range of personal data of individuals, including their online behaviors, shopping history, and other related information on a large scale, they must hire a DPO who can fulfill all GDPR requirements in terms of qualifications, duties, and characteristics.
- Appointing an EU Rep: Under Article 27 , any non-EU organization must appoint a representative from one of the EU member states. Refer to Recital 80 for further information about this position.
- Adoption of Risk Remediation Strategies: Articles 33 and 34 outline duties and instructions on what the controllers must do without undue delay, in case of a breach incident. It lays clear guidelines for notifying the Supervisory Authority about the personal data breach and related facts.
- Adhering to Cross-border Transfer Regulations: GDPR Article 45 has tough requirements for companies that transfer data of their users to non-EU countries. Organizations must self-certify under the Privacy Shield Framework and adhere to the GDPR compliance checklist to avoid the EU’s regulatory scrutiny.
Data Privacy Guardrails Are Essential, and GDPR Makes them Stronger
Hands down, GDPR compliance is one of the world’s strictest customer data privacy regulations, and businesses are required to follow it. With the rapid AI evolution, consumers and regulators are becoming more concerned about the usage of their personal information. Already, 60% of consumers have explicit concerns about the use of AI, and 65% expressed that it has already impacted their trust in companies using AI. Interestingly, another 54% of users revealed their willingness to share personal data in an anonymized form to enhance AI products and services, suggests the recent Cisco Data Privacy Benchmark Study. To ensure that organizations practice appropriate data protection, GDPR’s extensive reach impacts U.S. companies dealing with European users’ personal data in some form.
Last year, on July 10th, the European Commission implemented its adequacy decision to allow secure sharing of personal data from the EU to U.S. companies participating in the Data Privacy Framework. The decision was followed by Executive Order on Enhancing Safeguards for U.S. Signals Intelligence Activities by President Biden and regulations issued by the Attorney General. These regulatory frameworks guarantee that U.S. intelligence agencies access data only to the extent necessary and proportionate, establishing an independent and impartial redress mechanism to manage and resolve complaints about collecting EU data for national security purposes. The new safeguards also apply to all U.S. companies’ data transfer mechanisms and facilitate the application of standard contractual clauses and binding corporate rules.
Using iTech GRC’s expertise in implementing IBM OpenPages’ Data Privacy Management solutions, your business can easily keep up with the recent data privacy regulations and enforce compliance. Explore the latest AI-powered updates to OpenPages to streamline your data privacy management to facilitate GRC goals for 2024.
Reach out to our experts today to help plan your GRC projects using OpenPages.