GDPR Compliance Checklist for US Companies

August 30, 2022in Data, Laws

Ar you GDPR Compliant?

The EU General Data Protection Regulation (GDPR) extends its reach beyond European Union borders, requiring companies outside the EU to protect personal data. This checklist is tailored for US companies to help ensure GDPR compliance.

Understanding GDPR: The GDPR is a comprehensive data privacy law from the EU, designed to enhance data protection and give individuals greater control over their personal information. Non-compliance with the GDPR can result in substantial fines, reaching up to 4% of global revenue or €20 million, depending on the severity of the violation.

We previously provided a general GDPR compliance checklist applicable to all organizations. This updated checklist for US companies covers specific requirements unique to American businesses. We recommend that US companies consider both checklists for comprehensive compliance.

Why US Companies Need to Comply with GDPR: The GDPR applies to non-EU companies because it is extraterritorial. Its focus is on safeguarding the rights of EU data subjects, which include EU citizens, residents, and visitors. If your organization processes any personal data of individuals in the EU—whether email addresses, IP addresses, or other data—you must comply with GDPR requirements.

Although the EU does not directly control territories outside its borders, it enforces compliance through mutual assistance treaties and legal mechanisms. GDPR Article 50 addresses international cooperation, and data protection authorities are exploring enforcement options case by case.

GDPR Compliance Checklist for US Companies:

Conduct an Information Audit:
- Identify what personal data you process and confirm whether it pertains to individuals in the EU.
- Determine if your processing activities involve offering goods or services to EU data subjects. Refer to Recital 23 for clarification.
Inform Customers About Data Processing:
- Clearly explain why and how you process personal data. Update your privacy policy to include transparent information about your data processing practices as required by GDPR Article 12.
- Consider other lawful bases for processing data beyond consent, as outlined in GDPR Article 6.
Assess Data Processing and Enhance Protection:
- Perform a data protection impact assessment to understand risks and mitigate them.
- Implement data security measures such as end-to-end encryption and organizational safeguards. Follow the principle of “data protection by design and by default.”
Establish Data Processing Agreements with Vendors:
- Create agreements with third-party vendors to define rights and responsibilities regarding GDPR compliance. This applies to email vendors, cloud storage providers, and other subcontractors handling personal data.
Appoint a Data Protection Officer (if necessary):
- Larger organizations or those handling significant amounts of personal data may need to designate a data protection officer. The GDPR outlines the qualifications and responsibilities for this role.
Designate a Representative in the EU:
- Article 27 requires non-EU organizations that fall under GDPR to appoint a representative based in an EU member state. Recital 80 provides further details on this requirement.
Prepare for Data Breaches:
- Understand your responsibilities under Articles 33 and 34 if personal data is exposed. Use strong encryption to reduce breach impact and notification obligations.
Comply with Cross-Border Transfer Laws:
- GDPR Article 45 maintains strict requirements for transferring personal data outside the EU. You may need to self-certify under frameworks like the Privacy Shield.

GDPR Data Privacy Requirements:

Article 12 — Transparency and Communication:
- Provide clear, accessible information about your data processing practices and make it easy for individuals to request actions such as data erasure.
Articles 13 & 14 — Data Collection:
- Inform individuals about data collection at the time of collection, or if not collected directly, provide similar information later.
Article 15 — Right of Access:
- Data subjects can request information about how their data is processed and access their personal data.
Article 16 — Accuracy:
- Allow individuals to correct inaccurate or incomplete personal data.
Article 17 — Right to Erasure:
- Data subjects can request deletion of their data, with specific exemptions. Facilitate easy submission of such requests.
Article 18 — Right to Restrict Processing:
- Individuals can request limitations on data processing under certain conditions. Notify them of any actions taken in response.
Article 20 — Data Portability:
- Provide personal data in a portable format and transfer it to a designated third party upon request.
Article 21 — Right to Object:
- Individuals can object to data processing, which you can override only by demonstrating a legitimate basis for processing.

Final Thoughts: The GDPR emphasizes both data protection and privacy, requiring organizations to safeguard data and empower individuals with control over their information. Ensure transparency, facilitate data subject rights, and maintain robust security practices to meet GDPR standards.