The Global Data Protection Regulation (GDPR) is designed to protect sensitive customer data from European Union and UK residents. When a company collects, stores and processes data from the EU and UK, they are subject to this strict privacy regulation. From tracking cookies to customer email lists, you could rack up fines before you realize it. So, does the GDPR affect US companies too?
So, does the GDPR apply to American companies? Unfortunately, yes. The GDPR affects US companies, even if they’re not specifically targeting EU or UK customers. The GDPR is enforced by the EU, and international treaties give them the authority to go after foreign bad actors. In fact, American companies like Amazon and Google have already incurred hundreds of millions of dollars in GDPR fines.
GDPR protections are broad. While enforcement has focused primarily on large companies, small businesses can be especially affected. If there’s a chance of your business collecting EU customer data, you’ll need to get into compliance.
How Does GDPR Affect US Companies?
Broadly speaking, if your company collects, stores and processes data from EU and UK residents, you need to have a GDPR policy in place. This includes both written policies, describing your compliance measures, and implementing those measures.
Fines for data breaches and noncompliance can go up to €20 million or four percent of worldwide turnover for the preceding financial year, whichever is higher. For major players like Google and Amazon, that’s a drop in the bucket. However, small companies may never recover.
Because it’s so easy to inadvertently rack up fines, it pays to be prepared. Starting with a GDPR policy and compliance measures ensures that your business is protected, even if you’re not specifically targeting people in the European Union or UK. Plus, it ensures that your company is positioned to expand globally when the time is right.
Knowing that the GDPR affects US companies, keep in mind that GDPR standards and EU member states may change over time. Your business will need to stay informed to ensure compliance with any changes.
GDPR Compliance for US Companies
When the GDPR took effect on May 25, 2018, companies around the world found themselves subject to these strict privacy standards. Since the GDPR affects US companies, it is important to also know that China and California also have specific (and separate) privacy standards – which may also affect your business. Virginia, Colorado, and Utah have recently passed privacy laws as well.)
Even if you have no intention of doing business in the EU or UK, you must comply. The GDPR regulatory authorities have the power to enforce their standards, thanks to international treaties and agreements.
To be compliant, start with a data audit. Where is your data coming from—and how do you store and process the data? Do you have a lawful basis for collecting it? How do you inform your customers which data you’re collecting, and how it will be used? Are there ways for customers to download, review, correct, or delete their personal data? Do your email lists require a double opt-in confirmation? Is your data encrypted or anonymized?
Next, review your current policies. Are they in line with GDPR standards, or do you need to add extra protections? What will it take to ensure your privacy policies comply with the regulation? Do you have a data protection officer (DPO) already—and do you need one? Make sure that your company knows what to do in case of an audit or breach.
After you’ve determined what it will take to become GDPR compliant, you can start the compliance process. One great way to begin is by using SixFifty to generate your own customized policy. Our proprietary legal technology uses real legal expertise and automation to create enforceable legal documents. All you need to do is answer a few questions about your company. Our tools will generate your customized document. Just send it to your lawyer for approval. It saves time and money—and will create a GDPR framework that guides your compliance process.
Finally, you can update your internal data collection and management processes as necessary. Some businesses use GDPR compliance software, which streamlines compliance. This is especially great for new and small businesses alike. Larger companies, especially in the tech industry, may wish to rely on their own internal IT department.
SixFifty’s Solutions Make GDPR Compliance Simple
However you approach GDPR compliance, SixFifty can help. Don’t rely on a cookie cutter free template, or burden your lawyers with dozens of billable hours. Save time and money by letting us do the heavy lifting.
Written by Meili Bell
Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...
Full Bio and other articles by Meili Bell