Unraveling GDPR Requirements and How Some of it Impacts the U.S. (Part 1)
Six years after its enforcement, the European General Data Protection Regulation (GDPR) is now an exclusive industry in the U.S. There are about half a million jobs for data protection officers (DPOs). Companies like Meta, Amazon, and Google are charged with fines worth billions of dollars fines for non-compliance. A takeaway is that GDPR’s extraterritorial scope also impacts U.S. companies with customers from the EU member nations.
The rest of this blog, we will uncover all the GDPR requirements applicable to the U.S.
GDPR Applies to the U.S. Companies
Almost 69% of countries have data protection and privacy laws in place. The U.S. already has several federal and state data privacy laws, such as the Privacy Act of 1974, HIPAA, the California Consumer Privacy Act (CCPA), and the Children’s Online Privacy Protection Act (COPPA). However, over the last decade, as companies began fueling their digital journeys by processing personal data, there has been a heightened emphasis on data privacy, transparency, and consumers’ explicit consent. Almost 92% of Americans are concerned about their online data privacy. Incidentally, the IBM Report found customers’ personal data such as name, email, password, and healthcare information were exposed in nearly 44% of the breaches.
GDPR was enforced as an updated and unified data privacy law across the EU, replacing the 1995 EU Data Protection Directive. It is based on seven principles and offers guidelines for processing personally identifiable information (PII). It also provides mandates to ensure the implementation of relevant data protection practices.
As per GDPR requirements, all businesses must maintain transparency about their data processing activities and safeguard the privacy rights of individuals or ‘data subjects. In case of data breach incidents, the legislation also requires companies to inform all authorities and affected individuals within 72 hours. Non-compliance by companies can result in legal fines of up to €20 million or 4% of annual global turnover, whichever is higher.
The data privacy mandates apply to EU citizens and companies within and outside the EU collecting personal data of individuals domiciled in or whose data is stored in the EU or European Economic Area (EEA) region. In short, U.S. entities also fall under its extraterritorial radar.
What is GDPR’s Extraterritorial Scope?
According to Article 3, any establishment or individual that processes personal information is a data controller or data processor. So, any entity based in the U.S. dealing with the EU and EEA individuals’ personal data is classified as a data controller or data processor.
- Data Controller: Data controllers decide how the data is collected, used, stored, and processed. They are responsible for satisfying all GDPR requirements to avoid legal repercussions and fines for non-compliance. Data controllers are liable to pay for damages to data subjects or individuals.
- Data Processor: A data processor collects, stores or deletes and transfers personal data to third-party entities as per data controllers’ instructions. The data processors are also involved in building and implementing tech tools and systems that help capture and safeguard personal data. Since they do not decide the data control and processing mechanisms, security mandates set out in Article 32 are applicable. Additionally, they must maintain their processing activity records as per Article 35. In the case of international data transfers, the processors must follow obligations under Article 46.
Any organization, person, not-for-profit company or government agency in the U.S. can be a data controller and data processor.
- Controllers and Processors Can Be the Same Firm: In certain instances, data controller and data processor positions can overlap. An individual, business, or other entities can be a data controller for one company and concurrently serve as a data processor for another. However, GDPR provisions accommodate entities performing both controller and processor duties.
How Do GDPR Requirements Affect U.S. Companies?
Understanding GDPR requirements and their impact on U.S. companies can be overwhelming at first. However, GDPR’s overarching goal is to protect individual or data subjects’ rights, not control organizations engaged in data processing and control. With GDPR in place, almost 52% of consumers feel they have better control over their personal data. Here’s breakdown of the GDPR requirements for the U.S.
- U.S. Companies: Under Article 3 of GDPR, any company outside of the EU region having an establishment in the EU or businesses that offer goods and services to customers in the EU and EEA fall under the GDPR purview. It also includes firms monitoring users in the EU and EEA by collecting, processing, and analyzing their personal data behaviors using website cookies or IP addresses.
For example, social media platform providers like Meta and Instagram or streaming services like Netflix with customers in the EU and EEA must comply with GDPR.
- U. S. Citizens: According to Article 3, GDPR applies to U.S. citizens located in the EU and EEA. In this case, these individuals will be referred to as data subjects. The scope of GDPR is location-based, not citizenship or nationality-based.
For instance, let’s assume a U.S. national travels to Munich, Germany, to attend the Oktoberfest. They become data subjects, and all the GDPR provisions would apply to them. When they return to the U.S. and upload online pictures taken during the beer festival, GDPR principles no longer apply as their physical location is outside of the EU and EEA.
- U.S. Government: GDPR applies if the U.S. government (including all federal and state agencies) processes data of EU and EEA-based individuals. However, Article 2 exempts government agencies from complying with specific directives if their data processing activities are for public safety, like prevention, investigation, detection, or prosecution of criminal offenses and threats. Since, the U.S. is an EU member, these exemptions are not applicable. Therefore, the U.S. government is required to comply with GDPR legislations.
As per Article 50, the U.S. government like any third country or international organization must provide mutual assistance and cooperation mechanism to allow EU to enforce GDPR to protect personal data. Non-EU governments’ obligation includes involving stakeholders in discussions and initiatives to further their cooperation in legislation enforcement. They are also required to document and exchange personal data protection practices including jurisdictional conflicts with third countries.
Who in the U.S. is Exempt from GDPR?
Any organization or business that does not sell goods and services to EU and EEA customers or process their personal data is exempt from GDPR requirements. In layperson’s terms, if your business’ websites do not interact with EU and EEA individuals, you do not have to worry about GDPR compliance.
So, if you are a U.S. company with a customer base in the EU and EEA, stay tuned for part 2 of this blog, which will include a checklist of GDPR requirements.
How Can iTech GRC Help Meet GDPR Requirements?
About 62% of Americans think it is impossible to go through daily life without companies gathering their data. And 47% feel they receive too many privacy-related notifications because of GDPR requirements. While 60% view GDPR and other data privacy laws as beneficial. Consumers’ growing literacy on data privacy and consent can be both a challenge and an opportunity for U.S. companies looking to establish customer trust through GDPR compliance. AI-driven compliance and risk management tools are necessary to bridge the gaps in regulatory compliance.
At iTech GRC, we understand the ever-growing concerns about data privacy. We specialize in helping our enterprise customers achieve an in-depth view of their data privacy practices. IBM OpenPages’ Data Privacy Management solution eases privacy reporting and risk management workflows to ensure compliance with complex regulatory frameworks like GDPR, CCPA, and more.
We can help define newer pathways using AI capabilities in OpenPages to curb compliance costs and complexities for maintaining an inventory of private data assets across your organization.
Contact us today to get started on the data privacy management journey using OpenPages!