The Evolution of the GDPR Law & What It Means for American Businesses
By VOS Consulting Group on September 10, 2023
General Data Protection Regulation (GDPR) is a law that necessitates companies to protect the personal information and confidentiality of EU citizens for transactions that happen within EU member states. Noncompliance could cost serious repercussions for businesses. However, GDPR is no longer restricted to EU businesses.
The GDPR is applicable to businesses in the US or any business outside the EU based on two criteria:
Establishment – Any company outside the European Union has to comply with the GDPR if its establishment (such as an employee, agent, or branch) is in the EU.
Targeting - A company that targets people in the EU for providing products or services (even if it’s free) or monitoring their behavior also falls under the scope of GDPR.
How can American businesses stay compliant with GDPR? And how has the law evolved over the years? Read on to find out.
Establishment – Any company outside the European Union has to comply with the GDPR if its establishment (such as an employee, agent, or branch) is in the EU.
Targeting - A company that targets people in the EU for providing products or services (even if it’s free) or monitoring their behavior also falls under the scope of GDPR.
How can American businesses stay compliant with GDPR? And how has the law evolved over the years? Read on to find out.
Brief History of the GDPR
The GDPR is the toughest privacy and security law across the globe. Although it was drafted and approved by the EU, it imposes obligations on companies anywhere in the world, provided they target or gather data related to people in the EU.
The GDPR came into force in 2016 after passing European Parliament, and all organizations were required to be compliant as of May 25, 2018. The law levies strict penalties against those who breach its privacy and security standards, with fines reaching millions of euros.
The GDPR is the toughest privacy and security law across the globe. Although it was drafted and approved by the EU, it imposes obligations on companies anywhere in the world, provided they target or gather data related to people in the EU.
The GDPR came into force in 2016 after passing European Parliament, and all organizations were required to be compliant as of May 25, 2018. The law levies strict penalties against those who breach its privacy and security standards, with fines reaching millions of euros.
Recent Changes to the GDPR Law
The European Commission has now shifted its focus more on monitoring how data protection authorities at the EU Member State level are enforcing the GDPR law, committing to regular checks on large-scale GDPR cases. The objective is to address longstanding criticism that enforcement of the GDPR is quite weak and slow to put meaningful checks on big tech companies.
Under the new changes, national supervisory data protection authorities will have to share a report on a bi-monthly basis (i.e. every two months), discussing various key details such as:
Case number
Controller or processor involved
Investigation type
Summary of the investigation scope, which includes provisions of the GDPR under consideration
The data protection authorities (DPAs) concerned
Key procedural steps taken and dates
Investigatory or other measures taken and dates
Through these reports, the European Commission will be able to measure how long every procedural step in a case is taking, and what the relevant data protection authorities are doing to progress the case.
The European Commission has now shifted its focus more on monitoring how data protection authorities at the EU Member State level are enforcing the GDPR law, committing to regular checks on large-scale GDPR cases. The objective is to address longstanding criticism that enforcement of the GDPR is quite weak and slow to put meaningful checks on big tech companies.
Under the new changes, national supervisory data protection authorities will have to share a report on a bi-monthly basis (i.e. every two months), discussing various key details such as:
Case number
Controller or processor involved
Investigation type
Summary of the investigation scope, which includes provisions of the GDPR under consideration
The data protection authorities (DPAs) concerned
Key procedural steps taken and dates
Investigatory or other measures taken and dates
Through these reports, the European Commission will be able to measure how long every procedural step in a case is taking, and what the relevant data protection authorities are doing to progress the case.
How American Businesses Can Comply with the GDPR
As a business in the US, you need to keep in mind that if you process the personal information of EU citizens or residents, or you offer products or services to such individuals, then the GDPR is applicable to you even if you’re not in the EU. The information could be in the form of IP addresses of those who visit your site or email addresses in a marketing list.
Breaching the GDPR has very high penalties. There are two tiers of fines, which max out at € 20 million or 4% of worldwide revenue (whichever is higher). Moreover, data subjects also have the right to seek compensation for damages.
As a business in the US, you need to keep in mind that if you process the personal information of EU citizens or residents, or you offer products or services to such individuals, then the GDPR is applicable to you even if you’re not in the EU. The information could be in the form of IP addresses of those who visit your site or email addresses in a marketing list.
Breaching the GDPR has very high penalties. There are two tiers of fines, which max out at € 20 million or 4% of worldwide revenue (whichever is higher). Moreover, data subjects also have the right to seek compensation for damages.
Here are a few steps that US companies should take to comply with GDPR:
1. Perform a data audit for EU personal information
Check whether your business needs to comply with the GDPR. Start with determining what personal information you process and whether any of it belongs to EU residents or citizens. If you do process such information, determine whether the processing activities are related to offering products or services to such data subjects regardless of whether connected to a payment.
2. Inform your consumers why you’re processing their information
As one of the legal bases, consent can validate your use of other people’s personal information. However, if you choose to process data based on consent, there are extra responsibilities involved.
Under Article 12 of the GDPR law, you are required to provide clear and transparent info about your activities to your data subjects. Perhaps you may have to update your privacy policy.
3. Evaluate your data processing activities and enhance protection
Assessing the impact of data protection will help you understand the threats to the security and confidentiality of the data you process and decide ways to alleviate those threats.
Next, start implementing information security practices, like using end-to-end encryption and other safeguards, to limit your exposure to data breaches. When initiating new projects, you must abide by the principle of data protection by default and by design.
4. Ensure you have a data processing agreement with your clients/vendors
As the data controller, companies will be held partially responsible for their third-party clients if they breach their GDPR obligations. Therefore, it’s important to have a data processing agreement that establishes the rights and duties of every party. This includes your cloud storage provider, email vendor, and any other subcontractor that deals with personal information.
5. Designate a data protection officer
Many businesses (particularly larger ones) are obligated to appoint a data protection officer. They can either name an existing employee as an internal Data Protection Officer, or they can designate an external Data Protection Officer.
6. Appoint a representative in the EU
According to Article 27 of the GDPR law, non-EU companies are obligated to designate a representative (in writing) based in one of the EU member states, where the data subjects are. The representative should act on behalf of the company and may be addressed by any supervisory authority.
7. Identify what to do if there’s a data breach
The GDPR law also lays out your responsibilities if personal information is exposed, whether through hacking or any other type of data breach. In such a scenario, companies have to notify the data breach to the supervisory authority within 72 hours of becoming aware of it. The use of strong encryption can alleviate your exposure to penalties and decrease your notification obligations if there’s a data breach.
8. Comply with cross-border transfer laws
GDPR’s Article 45 specifies tough requirements for companies wishing to transfer personal information from the EU to non-EU countries. You need to define the basis for these transfers. The EU regulation provides for adequacy decisions, i.e., decisions on the suitable level of data protection in a third-party country.
If an adequacy decision exists, you can transfer EU personal information without any specific authorization or additional safeguard measure, because the laws of the relevant country offer similar protection to the GDPR.
1. Perform a data audit for EU personal information
Check whether your business needs to comply with the GDPR. Start with determining what personal information you process and whether any of it belongs to EU residents or citizens. If you do process such information, determine whether the processing activities are related to offering products or services to such data subjects regardless of whether connected to a payment.
2. Inform your consumers why you’re processing their information
As one of the legal bases, consent can validate your use of other people’s personal information. However, if you choose to process data based on consent, there are extra responsibilities involved.
Under Article 12 of the GDPR law, you are required to provide clear and transparent info about your activities to your data subjects. Perhaps you may have to update your privacy policy.
3. Evaluate your data processing activities and enhance protection
Assessing the impact of data protection will help you understand the threats to the security and confidentiality of the data you process and decide ways to alleviate those threats.
Next, start implementing information security practices, like using end-to-end encryption and other safeguards, to limit your exposure to data breaches. When initiating new projects, you must abide by the principle of data protection by default and by design.
4. Ensure you have a data processing agreement with your clients/vendors
As the data controller, companies will be held partially responsible for their third-party clients if they breach their GDPR obligations. Therefore, it’s important to have a data processing agreement that establishes the rights and duties of every party. This includes your cloud storage provider, email vendor, and any other subcontractor that deals with personal information.
5. Designate a data protection officer
Many businesses (particularly larger ones) are obligated to appoint a data protection officer. They can either name an existing employee as an internal Data Protection Officer, or they can designate an external Data Protection Officer.
6. Appoint a representative in the EU
According to Article 27 of the GDPR law, non-EU companies are obligated to designate a representative (in writing) based in one of the EU member states, where the data subjects are. The representative should act on behalf of the company and may be addressed by any supervisory authority.
7. Identify what to do if there’s a data breach
The GDPR law also lays out your responsibilities if personal information is exposed, whether through hacking or any other type of data breach. In such a scenario, companies have to notify the data breach to the supervisory authority within 72 hours of becoming aware of it. The use of strong encryption can alleviate your exposure to penalties and decrease your notification obligations if there’s a data breach.
8. Comply with cross-border transfer laws
GDPR’s Article 45 specifies tough requirements for companies wishing to transfer personal information from the EU to non-EU countries. You need to define the basis for these transfers. The EU regulation provides for adequacy decisions, i.e., decisions on the suitable level of data protection in a third-party country.
If an adequacy decision exists, you can transfer EU personal information without any specific authorization or additional safeguard measure, because the laws of the relevant country offer similar protection to the GDPR.
Stay On Top of GDPR Changes with VOS Consulting
If an American company falls under the scope of GDPR, it is subject to the same requirements under GDPR, as its EU counterparts. With VOS Consulting Group, you don’t have to allocate any full-time resources to drive data privacy initiatives. We identify and manage risks associated with fluctuating regulatory landscapes.
As a trusted data privacy advisor and consultant, we streamline your internal processes and help your company stay compliant with the ever-changing GDPR laws. Get in touch to learn more.
If an American company falls under the scope of GDPR, it is subject to the same requirements under GDPR, as its EU counterparts. With VOS Consulting Group, you don’t have to allocate any full-time resources to drive data privacy initiatives. We identify and manage risks associated with fluctuating regulatory landscapes.
As a trusted data privacy advisor and consultant, we streamline your internal processes and help your company stay compliant with the ever-changing GDPR laws. Get in touch to learn more.