Customized, Informed And Trusted Business Counsel

Does GDPR Compliance Apply to US Companies?

On Behalf of | Jun 1, 2021 | Corporate and Commercial

The European Union’s General Data Protection Regulation (GDPR), which was approved by the European Parliament in 2016 and became enforceable in 2018, is arguably the most comprehensive and far-reaching digital privacy law across various jurisdictions.

Several US-based businesses are required to comply with the GDPR because any US organization that provides services or products to, or monitor the behaviors of, European individuals or companies, falls under the scope of the GDPR, which has been adopted to ensure eight fundamental rights of EU citizens over their data collected:

  • the right to be informed with respect to how their data is collected;

  • the right of access any data collected;

  • the right to request rectification of any inaccurate or incomplete data;

  • the right to object to the use of their data;

  • the right to be forgotten;

  • the right to reuse their data for other services;

  • the right to restrict certain data processing activities;

  • the right not to be subject to a decision based merely on automated processing.

Once established that a US company is subject to the GDPR, six crucial requirements will kick in:

  • data breach notifications: authorities must be notified within 72 hours in the event of a data breach;

  • data breach impact assessments: an evaluation of high-risk processing activity on the security of personal data must be conducted;

  • privacy by design: the protocols of a company should proactively implement procedures to protect privacy;

  • strict consent conditions: before processing personal data, a company should obtain explicit and unambiguous consent from the data owner;

  • data subject access requests: a company should have controllers addressing the requests of any individual whose data are processed;

  • appointing a data protection officer to monitor and coordinate compliance efforts and act as a point of contact with supervising authorities.

US companies subject to the GDPR that do not have a physical presence in the EU are required to have a data protection officer physically established in the EU to act as a point of contact with EU authorities in the event of GDPR violations. Fines can be as high as €20 million or 4% of the annual global revenue (notoriously, Google was hit in 2019 with a €50 million fine for several GDPR breaches over its ads. Typically, violations are enforced either over EU-located assets of a US company or through the domestication of an EU judgment in US courts.

US businesses should take the following steps to make their websites GDPR compliant:

  • obtaining and recording consent from to users to use their personal data;

  • explaining in the privacy policy how the personal data are collected and protected;

  • providing options to withdraw easily the consent previously granted;

  • establishing opt-in procedures on website sign-up forms;

  • installing an SSL certificate to protect the website from phishing scams and data breaches

  • making their social media GDPR compliant;

  • storing users’ information in the database by username only, rather than by account information.