Since the European GDPR can also apply to US companies, it’s important to know how to comply. But what’s really required for GDPR compliance? Are the GDPR requirements different for US companies?
In this post, we’ll guide you through the main things you need to know as a US company for GDPR compliance!
When does the GDPR apply to the US?
The GDPR can apply to US companies because it has an extraterritorial scope, meaning that it can also apply outside the European Union. The regulation is meant to protect European users, and therefore it can extend to foreign businesses too.
More specifically, for the GDPR to apply to your US business, you should meet at least one of the following requirements:
your business is based in the EU (please note that this applies even in the case of an EU-branch office);
you’re not based in the EU, but you have EU-based users;
you’re not based in the EU, but you monitor the behavior of EU-based users.
You can watch our video for the complete overview.
🇪🇺
More on GDPR
This article is a part of our series on GDPR and GDPR compliance. Read also:
In order for your US business to comply with the GDPR, here are some of the steps to follow:
Have a lawful basis. The GDPR requires that you have at least one legal basis for processing user data.
Make legally required disclosures via your privacy policy. This info should, at the very least, include: who is processing the data, why, the user’s rights in relation to their data, and how they can exercise these rights.
If using consent as a legal basis, make sure that it’s opt-in consent. While US legislations usually allow the collection and processing of personal data without the user’s consent, the GDPR requires that you collect “freely given, specific, informed and explicit” consent through a clear “opt-in” action.
Keep clear records/ proof of the consent. The GDPR also gives users a specific right to withdraw consent and, therefore, it must be as easy to withdraw consent as it is to give it. Because consent under the GDPR is such an important issue, it’s vital that you document and keep clear records related to the consent.
Appoint a Data Protection Officer (DPO). If you’re based outside the EU, you may still need a European representative to ensure your company is complying with the GDPR. However, the appointment of a DPO is not always mandatory: you can learn more here.
Since the US-EU Privacy Shield has been invalidated, if you are transferring EU data to the US, you’ll need to rely on another mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Keep in mind, that all transfers of EU personal data to the US require that informed consent is first received from the user. You can learn more about transferring EU data to the US here.
In the cases where you choose to avoid transferring EU personal data outside of the EU, you should still make sure that your EU-based processor is aligned with GDPR requirements.
You can do this via a Data Processing Agreement (DPA), which is a formal agreement between you – the data controller – and any contractor processing data on your behalf (the data processor). Many popular processors, like hosting companies or email services, have the DPAs already included in their Terms and Conditions document. Otherwise, you can use our free DPA starter template.
Please note that, when you process EU data, you should always keep in mind the GDPR principles of data minimization and transparency. In simpler words, you should collect and process only the data that are truly necessary to your purpose and be transparent with your users. Here a Data Protection Impact Assessment (DPIA) could be helpful: though it’s not always mandatory, it’s a great way to assess and streamline your processing activities.
What are the consequences of non-compliance?
GDPR is well-know for its hefty fines. Indeed, the legal consequences for non-compliance can include fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater).
But perhaps equally concerning are the other potential sanctions that may be implemented against organizations found to be in violation: official reprimands (for first-time violations), periodic data protection audits and liability damages.
How iubenda helps US companies comply with the GDPR
At iubenda, we take a comprehensive approach to data law compliance.
We have a suite of lawyer-crafted professional solutions that make GDPR compliance easy and hassle-free for US companies. Our solutions allow you quickly generate fully customizable, GDPR (and CPRA – CCPA amendment)) compliant privacy policies, cookie banners, and more.
Our advanced generator and geolocation features make it easy to comply with multiple laws simultaneously (useful if you have both EU and US-based users).
Explore or GDPR compliance solutions here, or get started generating your documents right away.