GDPR Across the Pond

For digital-based businesses of today, data flows transcend borders and continents, necessitating the creation of new legislation and protections to keep your sensitive data private.?

The General Data Protection Regulation (GDPR) represents the cornerstone of modern data protection globally. Introduced by the European Union (EU), the GDPR has set a new benchmark for data privacy laws, compelling small and medium-sized businesses (SMBs) and enterprises worldwide to reassess and often revamp their data handling practices.?

You might not know that the GDPR not only affects businesses within the EU, but also has far-reaching implications for United States (US) businesses that process the data of EU citizens. As such, it’s not just a regulatory framework to comply with, but a global influencer actively shaping data protection standards. Here’s what US SMBs need to know about the GDPR.

An introduction to GDPR and its principles

The General Data Protection Regulation is an extensive data privacy and security law that the European Union enacted on May 25, 2018. The GDPR sets stringent guidelines for the handling of personal data, emphasizing the importance of privacy and data protection today.

The GDPR’s key principles are designed to safeguard personal information, empower individuals with greater control over their data, and unify data protection regulations within businesses across all EU member states:

1. Consent and lawfulness: Data processing must be lawful, fair, and transparent. Businesses must have a legitimate reason for processing personal data, and often must obtain explicit consent from individuals.

1. Purpose limitation: Data collected for specific purposes cannot be reused for incompatible purposes without further consent.

1. Data minimization: Only the minimum necessary data for the stated purpose should be collected and processed.

1. Accuracy: Personal information should be maintained correctly and current.

1. Storage limitation: Personal information should not be kept longer than needed for its intended purpose.

1. Integrity and confidentiality: Data must be processed securely, protecting it against unauthorized processing, unlawful use, accidental loss, damage, or destruction.
2. Accountability: Organizations must be able to demonstrate compliance with GDPR principles, including how consent is obtained and how data is managed and protected.

These principles mandate that data protection measures should be integrated into the development process of your products, services, and business practices from the outset. Every organization must also put in place suitable technical and organizational strategies to guarantee that, as a standard, only the personal data essential for each distinct processing purpose is gathered and processed.

Data Subject Rights

For individuals, the GDPR grants a number of greater rights for data subjects (your customers or users from the EU that you collect data on) concerning their personal data. These rights are:

• The right of access: Individuals can request access to personal data and obtain information about how the business is processing information, the recipients, the planned duration of storage, and more.

• The right to rectification: Individuals have the right to correct inaccurate or incomplete personal data.

• The right to deletion: Under certain conditions, individuals can request the deletion of any personal data, and the business must erase said data immediately if there are no legal grounds for processing.
• The right to data portability: Individuals can request the transfer of their personal data from one organization to another, in a structured, commonly used, and machine-readable format.

The right to be informed: Individuals have the right to be immediately informed of when and where data is obtained directly, which is at the time the data is obtained.

The obligation of data breach notification

Besides the previously mentioned rights, the GDPR also establishes a duty to notify all organizations to inform the appropriate supervisory authority about specific types of data breaches within 72 hours of discovering the breach, unless the breach is not expected to pose a risk to the rights and freedoms of individuals.

In the event of a breach that poses a significant threat to the rights and freedoms of individuals, the organization is obligated to notify the impacted individuals without unnecessary delay.

Because the GDPR introduces obligations around data consent, data subject rights, and data breach notifications, among others, data compliance is also non-negotiable. There are substantial fines for data breaches under the GDPR, underscoring the importance of understanding and implementing GDPR-compliant practices.

What are Data Protection Officers (DPOs) and EU Representatives?

Based on the GDPR’s mandates, certain organizations catering to EU customers are required to appoint Data Protection Officers (DPOs), particularly businesses that engage in large-scale systematic monitoring or processing of sensitive personal data (public offices, except for courts, also always have to have a DPO in place). The DPO’s role is to oversee GDPR compliance, and acts as a point of contact within your business for supervisory authorities and individuals whose data is processed.

If you are a US-based business without a physical presence in the EU, but you are subject to the GDPR on account of serving EU customers, you are required to appoint an EU representative. This representative acts as a local contact for supervisory authorities and data subjects in relation to GDPR matters within your organization, and has a number of obligations.

Why the GDPR is relevant to US businesses

The GDPR’s principles not only serve as the foundation of the act, but also as a model for data protection laws worldwide, because any business outside the EU that offer goods or services to EU residents or monitor their behavior must adhere to GDPR standards.?

This makes understanding what the GDPR is highly relevant for US-based small and medium-sized businesses (SMBs), especially if you are engaged in digital commerce or services.

Four key steps to achieve GDPR compliance

For US-based businesses, navigating the GDPR waters is crucial yet understandably complex.?

The regulation mandates stringent data protection and privacy measures, impacting how you collect, store, and process the personal data of EU citizens, who may make up part of your customer or user-base.?

To help you on your journey, we’ve compiled a list of steps to achieve data compliance with the GDPR:

1. Determining applicability: Assess whether your business activities fall under the scope of the GDPR. This involves understanding the nature of the data you collect and process, and whether it pertains to, or includes EU citizens or residents.

2. Data mapping: Conduct a thorough audit of the personal data you hold, tracing its flow within and outside your organization. This step is crucial for identifying the scope of GDPR’s applicability to your operations, and serves as the foundation for data compliance efforts.

3. Privacy notices: Update or create privacy notices that comply with GDPR requirements. These notices, available to view on your company’s website, must clearly articulate how you collect, use, and manage personal data, including the legal basis for processing, data retention periods, and the rights of individuals regarding their data.

4. Data Protection Impact Assessments (DPIAs): For processes that pose a high risk to individuals' rights and freedoms, DPIAs are mandatory. These assessments help identify and mitigate risks associated with data processing activities. The GDPR official website provides a handy template on how to conduct a DPIA which we highly recommend reading and using.

The impact of the GDPR on US businesses

Complying with the GDPR undoubtedly brings a number of changes for US-based businesses.?

It is a significant effort to adhere to a new set of regulations, especially around data which is effectively the lifeblood of your business, but understanding the most important changes, which we cover below, will help ease your organization into adjusting processes around the GDPR.

Operational changes for GDPR compliance

Adjustments to data collection and processing: Adherence to the GDPR means you must ensure your data collection methods are transparent and lawful, obtaining clear consent where necessary. This involves revising your privacy policies, consent forms, and data collection procedures wherever you may collect customer information (your contact us form, website landing pages, email campaigns, and more) to align with GDPR standards.

Data protection measures: Implementing robust data security measures is a cornerstone of GDPR compliance, so you must conduct an assessment of your current data protection practices and upgrade them as needed to prevent data breaches.

Culture, training and awareness: GDPR adherence carries a shift in mindset, new training requirements and broader awareness about data privacy within the organization, which can be a challenge if you have previously only operated under vastly different regulatory environments to this point.

Technical implementation: Data protection measures require advanced solutions to be integrated into your business systems and processes, and understandably this can impact any SMB or enterprise with highly complex IT environments. If your business does not have existing expertise in implementing data compliance and cybersecurity solutions, it is important to assess the services of a managed service provider (MSP), also called managed IT services, who can assist you in choosing the best platforms and solutions to adhere to the GDPR’s regulations.

Cost of compliance vs non-compliance

Compliance costs: Achieving GDPR compliance involves initial and ongoing expenses, including legal consultation, technology upgrades, training, and potentially appointing a DPO or EU representative. While these costs can be significant, especially for SMBs, they are long-term investments in your company's future security and reputation.

Non-compliance costs: The consequences of failing to comply with GDPR can be far more severe than the investment costs. Fines can reach up to €20 million or 4% of the company's global annual turnover (dependent on what is higher). Beyond financial penalties, non-compliance can lead to reputational damage, eroding customer trust in your company, and potentially lead to loss of business should you know follow through with adjusting for the GDPR.

Examples of US businesses adapting to GDPR requirements

With the GDPR in place since 2018, several US businesses have successfully navigated the transition to GDPR compliance, demonstrating that while challenging, compliance is achievable and beneficial.

Kroll, an independent financial advisory firm, provides a detailed case study of a California-based clinical-stage biopharmaceutical customer that needed to enhance its compliance with both U.S. data privacy laws and the GDPR. The company embarked on a plan that involved data mapping, sanitization, retention efforts, and the development of a privacy compliance roadmap. Its story highlights the importance of transparent data mapping and the establishment of robust privacy controls and policies to support long-term compliance goals.

Adobe puts GDPR compliance front-and-center as part of its online customer materials, transparently outlining how they prepared for and comply with the GDPR to ensure their customers’ data remains safe when transferring data from the EU to the US.

Some of America’s largest companies, such as Microsoft and Salesforce, have committed to GDPR compliance across their vast ecosystems, implementing new data privacy and user protections and installing DPOs to conduct regular privacy assessments to mitigate risks and reassure their substantial EU-based customer bases of their adherence to the GDPR.

GDPR vs US data protection legislation

The US has existing laws and policies in-place to protect business and customer data which differ from the GDPR in terms of regulatory scope and enforcement of compliance.?

The US government has taken a sector-specific approach to regulation compared to the EU’s more comprehensive one, with different legislation tailored for specific industries, such as the Health Insurance Portability and Accountability Act (HIPAA) for the healthcare sector.

The most significant US data protection policy and closest comparison to the GDPR is state-based. The California Consumer Privacy Act (CCPA) protects California residents with similar data subject rights, legal bases for processing data, and penalties for non-compliance.?

For a more detailed comparison between GDPR and US-specific data regulation and legislation, we recommend reading our guide on Cybersecurity Law in EU vs. US.

Preparing for broader adoption of GDPR-like US regulations?

As the landscape for data protection evolves, US businesses can expect stricter regulations akin to the GDPR to become more widespread. Preparing for these changes is essential to ensure compliance, maintain customer trust, and leverage regulatory adherence as a competitive advantage. Here are some best practices and considerations:

Understand current data flows: Conduct a thorough audit of your data processing activities. Knowing what data you collect, where it comes from, how it's used, and where it's stored is the first step in preparing for any regulation.

Implement data minimization: Only collect and process data necessary for the specified purposes. This principle not only aligns with GDPR's requirements, but also prepares you for similar regulations that prioritize data minimization.

Ensure data security: Adopt strong security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction. Regularly review and update your data security practices.

Develop a privacy policy: Draft clear, transparent privacy policies that comply with GDPR requirements. These should detail your data collection practices, usage, and individuals' rights regarding their data.

Train your employees: Educate your staff on the importance of data protection and the specifics of GDPR-like regulations. Regular training ensures everyone understands their role in maintaining compliance. This includes cyber awareness training for employees on the importance of data privacy and training for employees who you appoint to be a DPO or EU representative within the business.

GDPR compliance for US businesses: Next steps

Achieving GDPR compliance is ultimately an ongoing process that requires regular review and updates to practices, policies, and procedures in response to evolving regulatory interpretations and technological changes. For US businesses, embracing these obligations not only aids in compliance but also signals a strong commitment to data protection and privacy, enhancing trust with customers and partners alike.

If you are a SMB, it can be understandably more complex and difficult to update your processes and protections to adhere to the GDPR. I recommend evaluating a partnership with a MSP, who can help you up-to-speed with your data protection processes and data compliance efforts.?

SparkNav is one such MSP that specializes in helping SMBs with data compliance and cybersecurity solutions. Speak to our team today to learn how we can help your business get compliant with both the GDPR and any future US-based regulations surrounding data privacy and customer information.