Skip to content

Do US companies have to comply with GDPR?


Overview of GDPR

The General Data Protection Regulation (GDPR) is a privacy law implemented by the European Union (EU) to ensure the protection of personal data of EU citizens. It sets out guidelines and regulations that organizations must follow when handling personal data. Although the GDPR is an EU law, its impact extends beyond the borders of the EU, affecting companies worldwide, including those in the United States. The GDPR applies to US-based companies that process personal data of EU citizens, regardless of the company's physical presence in the EU. This means that US companies must comply with the GDPR if they offer goods or services to EU customers or monitor the behavior of EU individuals. Compliance with the GDPR involves various obligations, such as obtaining consents, implementing technical measures to protect data, appointing a Data Protection Officer, and maintaining records of processing activities. Failure to comply with the GDPR can result in significant fines and reputational damage for US companies. Thus, it is essential for US companies to understand and comply with the GDPR to ensure the privacy and security of personal data for their European customers.

US companies and GDPR

US companies that collect, process, or store personal data of individuals in the European Union (EU) must comply with the General Data Protection Regulation (GDPR). The GDPR applies to US companies if they have an establishment in the EU, offer goods or services to EU residents, or monitor the behavior of individuals in the EU.

To comply with the GDPR, US companies must fulfill various obligations and make necessary changes. This includes obtaining valid consent for data processing activities, updating their privacy policies to meet GDPR requirements, appointing a Data Protection Officer (DPO), and implementing technical and organizational measures to ensure the security of personal data.

US companies may also need to review and revise their data retention policies, as the GDPR requires personal data to be stored only for as long as necessary. Additionally, they must be prepared to handle personal data breaches and notify the relevant supervisory authorities and impacted individuals within 72 hours.

Compliance with the GDPR is essential for US companies to avoid hefty fines and reputational damage. Therefore, it is important for US companies to understand their obligations under the GDPR and make the necessary changes to their data processing activities and practices.

What is the general data protection regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that was enacted by the European Union (EU) in 2018. It applies to all EU member states and regulates the processing of personal data of individuals within the EU. The GDPR aims to strengthen the protection of personal data and give individuals more control over how their data is used by organizations. It introduces several obligations for businesses, such as obtaining valid consent for data processing, implementing appropriate security measures, appointing a Data Protection Officer (DPO), and handling data breaches in a timely and transparent manner. Non-compliance with the GDPR can result in significant fines and reputational damage. The GDPR also applies to non-EU companies that offer goods or services to EU residents or monitor their behavior. Therefore, US companies that process personal data of EU citizens are required to comply with the GDPR.

Lawful basis for processing personal data

Under the General Data Protection Regulation (GDPR), there are several lawful bases for processing personal data. These bases determine the legitimacy of processing activities and provide a framework for organizations to ensure compliance with privacy laws.

Article 6 of the GDPR outlines the different legal bases for processing personal data. These include consent, contract performance, legal obligation, vital interests, public task, and legitimate interests.

Consent is obtained when an individual provides explicit and informed consent for their data to be processed. Contract performance refers to processing activities necessary for the execution of a contract with the data subject. Legal obligation entails processing personal data to comply with a legal requirement.

Vital interests involve processing data to protect someone's life, such as in medical emergencies. Public task applies to processing activities carried out by public authorities in the interest of the public. Finally, legitimate interests allow for processing personal data based on the legitimate interests of the controller or a third party, provided they outweigh the individual's rights and freedoms.

US companies that process the personal data of European customers must comply with the GDPR. Each legal basis outlined in Article 6 can apply to US companies depending on the context and purpose of the data processing. However, it is important for these companies to ensure they have a valid lawful basis for each processing activity to avoid potential penalties and comply with European data privacy regulations.

Special categories of personal data

Special categories of personal data, also referred to as sensitive data, are categories of personal data that require heightened protection under the GDPR. These categories include information about an individual's physical and mental health, racial or ethnic backgrounds, sexual orientation, religious or philosophical beliefs, political opinions, and trade union membership.

Physical and mental health information encompasses data related to an individual's medical conditions, disabilities, or illnesses, as well as information pertaining to their access to healthcare services. This category is given special protection due to its sensitive nature and the potential impact on an individual's privacy and dignity.

Racial or ethnic backgrounds refer to information regarding an individual's racial or ethnic origins, which can include information about their nationality, ancestry, or cultural background. The GDPR acknowledges the need for heightened protection of this category to prevent discrimination and ensure equal treatment.

Sexual orientation involves information related to an individual's sexual preferences, orientations, or practices. It is considered sensitive due to the potential vulnerability and discrimination that individuals may face based on their sexual orientation.

Religious or philosophical beliefs encompass an individual's religious, spiritual, or philosophical views, including affiliations or memberships to religious institutions or organizations. This category is protected to safeguard an individual's freedom of thought, conscience, and religion.

Subject rights under the GDPR

Under the General Data Protection Regulation (GDPR), individuals are granted fundamental rights concerning the processing of their personal data. These data subject rights empower individuals to have more control over their personal information and ensure its proper handling.

The GDPR specifies eight data subject rights that individuals can exercise. First is the right to be informed, which requires organizations to provide individuals with transparent information about how their personal data is being processed. The right of access allows individuals to obtain a copy of their personal data that organizations hold. If the information is inaccurate or incomplete, the right to rectification enables individuals to have it corrected promptly.

Individuals also have the right to request the erasure of their personal data under certain circumstances, known as the right to be forgotten. The right to restrict processing allows individuals to limit the use of their personal data. Additionally, the right to data portability allows individuals to receive their personal data in a structured, commonly used, and machine-readable format, enabling them to transmit it to another controller.

The GDPR introduces two additional rights. The right to object enables individuals to object to the processing of their personal data, including for direct marketing purposes. Finally, the right not to be subject to automated decision-making, including profiling, allows individuals to challenge decisions made solely by automated means.

These data subject rights aim to provide individuals with more control and transparency in the processing of their personal data, fostering trust and accountability between individuals and organizations.

Records of processing activities

Maintaining records of processing activities (ROPA) is of utmost importance for both controllers and processors under the General Data Protection Regulation (GDPR). ROPA serves as a comprehensive overview of an organization's data processing activities and plays a crucial role in ensuring compliance with data protection requirements.

ROPA should include key information such as the categories of personal data being processed, the legal basis for processing, how the data is processed, and the purposes of the processing. It also needs to detail any transfers of personal data to third countries or international organizations.

For controllers, ROPA should include details such as the name and contact information of the controller, categories of data subjects, recipients of the data (including third parties and international organizations), and the envisaged time limits for erasure of data. It should also outline the technical and organizational security measures in place to protect the data.

Processors, on the other hand, need to maintain records of all categories of processing activities they undertake on behalf of the controller. This includes information such as the name and contact details of the processor, the categories of data subjects involved, and any transfers of personal data to third countries.

By maintaining accurate and up-to-date ROPA, organizations can demonstrate their compliance with the GDPR and provide transparency to data subjects and supervisory authorities. ROPA also helps in conducting data protection impact assessments and audits, ensuring that data processing activities align with privacy principles and regulations. Therefore, controllers and processors must diligently maintain and regularly update their ROPA to meet their legal obligations and protect individuals' privacy rights.

Privacy policies and notices

Privacy policies and notices play a crucial role in ensuring compliance with the General Data Protection Regulation (GDPR). These documents outline how an organization collects, uses, and manages personal data, providing transparency and clarity to individuals about their privacy rights.

A GDPR-compliant privacy policy should include several key elements. Firstly, it needs to identify the data controller, the entity responsible for determining the purposes and means of processing personal data. The policy should specify the categories of data being processed, such as contact information or financial details, and the purpose for collecting and processing this data.

Additionally, the privacy policy should detail how data is collected and shared, including any third parties or international organizations involved in the processing. It should also provide information on data transfers, such as the mechanisms used to ensure the protection of data when it is transferred outside the European Economic Area.

Furthermore, the policy should outline the organization's data retention policy, specifying how long personal data will be stored. It should also include information on the data subject rights granted by the GDPR, such as the right to access, rectify, and erase personal data, and how individuals can exercise these rights.

Transparency and accessibility are key principles of the GDPR. Therefore, privacy policies and notices should be written in clear language and easily accessible to individuals. By following these requirements, organizations can demonstrate their commitment to privacy and compliance with the GDPR.

Supervisory authorities

Supervisory authorities play a crucial role in enforcing the General Data Protection Regulation (GDPR). These authorities are responsible for overseeing compliance with the regulation and ensuring the protection of individuals' personal data.

In each European Union (EU) member state, a supervisory authority is appointed to act as an independent public authority in charge of monitoring and enforcing the GDPR. They are entrusted with the task of supervising the application of the regulation and promoting the protection of individuals' rights.

The appointment of supervisory authorities is carried out by each member state, taking into account their specific legal and organizational structures. The authorities must be provided with the necessary resources and have the expertise to perform their tasks effectively.

The functions of supervisory authorities include providing guidance and advice on data protection matters, handling complaints and data breach notifications, conducting investigations, and issuing binding decisions and corrective measures when necessary. They also play a significant role in ensuring consistent application of the GDPR across the EU through cooperation with other supervisory authorities.

To enforce compliance with the GDPR, supervisory authorities have a range of powers and sanctions at their disposal. They can issue warnings, reprimands, and orders to cease certain data processing activities. They can also impose administrative fines, which can be significantly high, depending on the violation. In some cases, supervisory authorities can even ban data processing activities or suspend data transfers to third countries.

Penalties for non-compliance with the GDPR

Non-compliance with the General Data Protection Regulation (GDPR) can result in severe penalties for businesses. One of the most significant penalties is the imposition of fines. The GDPR allows for administrative fines of up to €20 million or 4% of the annual global turnover, whichever is higher. These fines can be imposed for various violations, such as not having a lawful basis for processing personal data or not obtaining valid consent.

In addition to fines, supervisory authorities can issue orders to cease certain processing activities. This means that if a business is found to be processing personal data in a way that is not compliant with the GDPR, they may be required to stop those activities immediately.

Furthermore, non-compliant businesses may face bans on processing personal data. In serious cases, supervisory authorities have the power to prohibit a company from processing any personal data at all. This can have a significant impact on the operations of the business, as it prevents them from handling any personal data of European customers.

In the event of a data breach, businesses are also required to notify supervisory authorities without undue delay and, in some cases, within 72 hours. Failure to do so can result in penalties, as well as potential reputational damage and loss of business. US-based companies are not exempt from these consequences, and violating the GDPR can have far-reaching implications for their operations and relationships with European customers. It is crucial for businesses to ensure compliance with the GDPR to avoid these penalties and safeguard their reputation.

Do US companies have to comply with GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive privacy law that applies to all companies that collect and process the personal data of European Union (EU) residents. While the GDPR is a European Union regulation, its impact extends beyond EU borders. This means that US companies are also subject to the GDPR if they collect and process the personal data of EU residents. The GDPR defines personal data as any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and social identity. Therefore, US companies that collect and process such data from individuals residing in the EU are required to comply with the GDPR. Failure to comply with the GDPR can result in significant fines, orders to cease processing activities, and bans on processing personal data. As such, US companies that have European customers must take the necessary steps to ensure they are GDPR compliant and protect the personal data of their EU users.

Definition of a “US company”

A 'US company' refers to a business entity that is incorporated or operates within the United States. This includes corporations, partnerships, limited liability companies, and other legal structures registered in the US. US companies can engage in a wide range of industries and sectors, ranging from technology and finance to manufacturing and retail.

In terms of the General Data Protection Regulation (GDPR), US companies are subject to its provisions if they meet specific criteria set by Article 3 of the regulation. Firstly, the GDPR applies to US companies that have an establishment in the European Union (EU). An establishment can refer to a physical office, subsidiary, or branch that is based in an EU member state.

Secondly, the GDPR applies to US companies that do not have an establishment in the EU but offer goods or services to individuals in the EU, or monitor the behavior of individuals in the EU. Examples of targeting individuals in the EU can involve online activities such as advertising, offering language options specific to EU countries, or processing personal data of EU residents.

To determine whether a US company is subject to GDPR compliance, factors such as the presence of an establishment in the EU and the targeting of individuals within the EU for goods or services play a crucial role. Compliance with the GDPR requires US companies to take steps to protect the privacy and personal data of EU individuals in accordance with the regulation’s requirements.

EU customers and non-EU Companies

EU customers and non-EU companies have a significant relationship when it comes to compliance with the General Data Protection Regulation (GDPR). The GDPR applies to non-EU companies that offer goods or services to EU customers. This means that even if a company is based outside of the EU, it still needs to comply with the GDPR if it targets individuals in the EU or monitors their behavior.

To determine whether a non-EU company is subject to the obligations of the GDPR, EU regulators consider various factors. These factors include whether the company offers goods or services to individuals in the EU, regardless of whether payment is required. If a company has a website or mobile app that is accessible in the EU, has a version of the website or app in an EU language, or accepts payments in euros, it may be considered as targeting EU customers.

Furthermore, EU regulators also look at whether the company monitors the behavior of individuals in the EU. This can include the tracking of online activities, such as using cookies, analyzing user preferences, or creating targeted advertisements based on the behavior of EU customers. If a non-EU company engages in such practices, it may be subject to the requirements of the GDPR.

Extraterritorial application of the GDPR

The General Data Protection Regulation (GDPR) has an extraterritorial application, meaning it extends beyond the borders of Europe and can apply to businesses located outside of Europe. This legislation aims to protect the privacy and personal data of individuals within the European Union (EU) and has specific provisions that can require businesses from other regions to comply with GDPR requirements.

There are two primary cases in which the GDPR can be applied extraterritorially. The first case is when a business offers products or services to individuals in the EU, regardless of whether payment is required. This applies even if the company is based outside of Europe. If a business has a website or mobile app accessible to EU customers, offers versions of the website or app in EU languages, or allows payments in euros, it may be considered as targeting EU customers and thus subject to GDPR compliance.

The second case is when a business monitors the behavior of individuals in the EU. This can include tracking online activities, using cookies to analyze user preferences, or creating targeted advertisements based on the behavior of EU customers. If a non-EU company engages in such practices, it may also fall under the jurisdiction of the GDPR.

Therefore, it is crucial for businesses outside of Europe to be aware of the extraterritorial application of the GDPR and assess their obligations for compliance, especially if they offer products or services to EU customers or monitor their behavior. Complying with GDPR requirements not only protects the privacy rights of European individuals but also ensures businesses' credibility and trustworthiness in the global market.

How can US companies comply with the GDPR?

To comply with the GDPR, US companies need to take several important steps. Firstly, they must ensure the creation of a compliant privacy policy. This policy should clearly outline the type of personal data collected, the purpose of processing, and the lawful basis for processing. It should also provide information about data retention policies, the rights of individuals regarding their personal data, and contact details of the data protection officer (DPO).

Obtaining valid consent is another crucial task for GDPR compliance. Companies must ensure that individuals have the opportunity to freely give their consent and are provided with clear information about the processing activities. Consent requirements include being specific, informed, and given through an unambiguous affirmative action.

Implementing technical measures for data protection is essential for safeguarding personal data. Companies must adopt appropriate security measures to protect against unauthorized access, alteration, disclosure, or destruction of personal data. These measures can include encryption, access controls, and regular security assessments.

Conducting a privacy impact assessment (PIA) is also required for GDPR compliance. This assessment helps identify risks and evaluate the impact of processing activities on individuals' privacy rights. It involves assessing the necessity and proportionality of data processing, as well as implementing measures to mitigate potential risks.

US companies need to prioritize GDPR compliance by creating a compliant privacy policy, obtaining valid consent, implementing technical measures for data protection, and conducting a privacy impact assessment. By taking these steps, US companies can demonstrate their commitment to protecting personal data and ensure compliance with the GDPR.

General thought leadership and news

Mitigating cybersecurity risks: A guide to vendor risk management

Mitigating cybersecurity risks: A guide to vendor risk management

In today's digital landscape, cybersecurity risks have become a prevalent concern for organizations of all sizes. With businesses relying on multiple...

CMMC 2.0 is here: Key changes and what it means for your business

CMMC 2.0 is here: Key changes and what it means for your business

Last October 15, 2024, the final rule for the latest iteration of the Cybersecurity Maturity Model Certification (CMMC) was published by the US...

Configuring your 6clicks dashboard: Transform insights with Power BI

Configuring your 6clicks dashboard: Transform insights with Power BI

Governance, risk, and compliance (GRC) thrive on data. With today’s businesses running on digital ecosystems, visualization and interaction with data...

Explore the power of the 6clicks dashboard: A widget showcase

Explore the power of the 6clicks dashboard: A widget showcase

Dashboards are more than just data displays—they’re hubs for insight, action, and collaboration. We have recently released our configurable...

Introducing personalized dashboards for a smarter GRC experience

Introducing personalized dashboards for a smarter GRC experience

Hello everyone! We’re excited to announce a powerful new feature: configurable dashboards designed to enhance how you manage your GRC data on the...

The NIST Cybersecurity Framework: Best practices

The NIST Cybersecurity Framework: Best practices

When it comes to security compliance, the NIST Cybersecurity Framework (NIST CSF) has built a reputation for effectively guiding organizations toward...