GDPR Compliance Checklist For US Companies

The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018, yet plenty of companies still struggle with compliance, even in the EU. 

It’s not just European companies that have to navigate the complexities of data privacy compliance with the GDPR and ePrivacy Directive. Any company that handles consumer data in regulated ways, and wants to do business in the EU, needs to take compliance seriously.

However, GDPR compliance is also valuable for doing business in the United States. The states that have already passed data privacy laws, most notably California, have borrowed heavily from the GDPR in drafting their regulations. Having passed first, California’s laws – the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA) – have in turn been influential on legislation drafted by other states.

Being GDPR-compliant also puts US companies ahead of the game in ensuring state-by-state compliance at home. By adopting best practices, there’s less work and disruption needed in the future as more regulations are passed.

The following information and checklists will help determine your company’s GDPR compliance requirements and steps to take. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy to ensure that your data strategy is fully GDPR-compliant.

An obvious first question for American companies is, “Does the GDPR apply to us?” If your company does business in the EU, then yes, you do need to be GDPR-compliant. This can include having an office in the EU, having partners or customers in the EU, or having website visitors who are in the EU. 

The EU-US Privacy Shield Framework included an adequacy decision from the European Commission. This was somewhat based on GDPR compliance, even if Privacy Shield compliance didn’t confer full GDPR compliance prior to July 2020. However, it only governed the flow of personal data for transatlantic data exchange, so in many cases also pursuing GDPR

However, the 2020 Schrems II decision invalidated that Framework, so Privacy Shield compliance is no longer relevant and full GDPR compliance is required.

Let’s look at some ways that the GDPR’s requirements are unique. For example, while laws in the US, like the CCPA, are centered around consumer protection, the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors. GDPR stipulations require organizations to appoint a data protection officer under a number of operational circumstances. This isn’t necessarily the case under American laws.

But the biggest difference between the US and the EU is with regards to personal data. Under the GDPR, users must provide explicit opt-in consent to having their personal data collected and used. In the US, however, an opt out model is used. So companies can collect data, but have to provide a clear and easy way for users to reject the disclosure and/or sale of that personal data.

Definitions of personal data, personally identifiable information, and specific requirements for data to be “sensitive” also vary among different privacy laws. We explain the similarities and differences in depth: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?

Under the GDPR, personal data refers to “…any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.” Pseudonymous data can also fall under the definition if it’s relatively easy to identify someone from it.

For data processing to be legal under the GDPR, per Art. 6 one legal basis (legitimate justification), such as obtaining compliant user consent, must be met. It must be documented and clearly communicated to the data subject (person whose data is processed, like site visitors or customers). 

The data controller (i.e. a company) can meet additional legal bases over time, but it can’t just change the one previously chosen. There would need to be a compelling and defensible reason, documentation, and notification of data processors (third parties that process personal data on behalf of data controllers) and data subjects.

For users’ consent to be GDPR-compliant, there are seven criteria that must be met. See our article 7 Criteria for a GDPR-compliant Consent for detailed information on those criteria and what that means for websites’ cookie banners.

Under the GDPR, processing of personal data is generally only permitted for children aged 16 and older. Parental or guardian consent must be obtained for data processing requests for children under 16. 

Some EU Member States enable reducing the age limit to 13, but not all of them do. Additionally, as confirming user age can be ambiguous on some websites, obtaining explicit consent from all users is recommended.

✅  Make data privacy and protection a key consideration in all aspects of development and operations. Building in compliance is more efficient, cheaper, and less resource-intensive than retrofitting it. Especially if a company ends up with fines for violations.

✅  Create an internal security policy for employees, partners, and contractors and keep it updated. Ensure that it is clear and comprehensive to the company’s operations and specific roles within the organization where accessing personal data is necessary.

✅  Know what a data protection impact assessment is and have a process to carry it out.

✅  Wherever possible when personal data is collected, anonymize, pseudonymize and encrypt it.

✅  Have a process in place to notify data subjects and the correct authorities within the required time frame in the event of a data breach.

It must be clear and easy for customers to…

✅  object to you processing their data

✅  request and receive all of the data you have about them in a timely manner

✅  request correction or update to inaccurate or incomplete data

✅  request deletion of their personal data and have it completed in a timely manner

✅  have you stop collecting and processing their data

✅  receive a copy of all of their personal data that you have for them, which can be transferred to another entity

✅  have processes and policies in place to protect their rights if you make decisions about them based on automated processes.

Google claims that all data will be anonymized and recorded in aggregate form if the user does not consent to Google Analytics tracking. There are differing opinions regarding whether or not tracking technologies can be used without user consent, however.

According to the Orientation Help for Providers of Telemedia from the Datenschutzkonferenz (DSK), reach measurement can indeed represent legitimate interest for the website operator. If no personal data is forwarded to third parties, like Google, and data is not to be used for the third parties’ own purposes, it is possible to claim legitimate interest. 

Do not assume, though, that claiming legitimate interest means consent is not needed. You, as the data processor, would need to be able to prove that the data is being processed with the users’ best interests in mind. You would also need to document the claim of legitimate interest, the reasons for it, and all requirements to secure data collected would continue to apply, as noted in the checklists above.

If a website operator thinks they can reasonably claim a legal basis other than collection of user consent – for example, legitimate interest – then they must ensure that their own interests count more than the interests of the website users. Another option would be claiming no legal basis by ensuring that  100 percent of users have fully anonymous interactions with the website 100 percent of the time. 

Website operators must also ensure that users’ personal data is not forwarded to servers in the United States (“third country”) from the European Union (from the Schrems II decision). If this cannot be guaranteed, then consent always has to be collected.

Making this even more tricky is that, even if claiming legitimate interest, since IP address is transmitted during most users’ website activities, and the German Federal Court of Justice considers IP address personal data, there is a strong argument that fully anonymous interactions with a website are not possible in most cases under EU law.

As of January 1st, 2021, the United Kingdom’s transition period to leave the EU completed, and it was no longer a member state. As a result, the GDPR no longer applied there. However, the UK now has an adequacy decision from the European Commission, so their “UK GDPR” is sufficient to allow continued flow of data.

Companies in other countries, like the US, do need to keep abreast of new or changing regulations in all partner countries, particularly with any divergence from the GDPR in the future. The US is also in the process of negotiating a new agreement with the EU to replace the Privacy Shield, and once that is settled, it will likely make similar arrangements with the UK.

As we have mentioned, the precise implementations and interpretations of the GDPR varies among member states. And only once your company has undertaken a data audit you will know exactly how GDPR requirements apply to your organization and customers. We do not provide legal advice, and strongly recommend engaging legal counsel specializing in data protection and privacy to ensure your company’s GDPR compliance efforts are robust and compliant.