GDPR: What US Companies Need to Know

Do you know whose data you have?

When the General Data Protection Regulation (GDPR) became law on May 25, 2018, it raised the bar on standards for data protection and security around the world. It also set off a massive ripple of global privacy laws that are changing business — and how we use the internet — forever. 

A common misconception by US companies is that the GDPR only applies to companies in Europe. If you’re a US company, GDPR directly applies to you today if you fall into one of these categories.

  • You have offices in the EU
  • You have offices in the US but customers around the world
  • You are a B2B company in the US that has EU clients

More specifically, if you collect or process the data of any EU citizens residing anywhere in the world, you need to pay attention to GDPR. 

GDPR caught a lot of US companies off guard. 42% of US sites are still blocking EU customers because they weren’t prepared to comply with GDPR. That’s a nice sized market share just waiting to be tapped by whoever gets there first. 

Why all US companies should pay attention to GDPR

Understand that the GDPR is currently setting the framework for a rash of privacy legislation that is sweeping the US and the globe. It’s raising service, transparency, and accountability to levels that previously didn’t exist. Consumers are aware of these laws which means consumer trust is becoming an essential feature of brand ethos.

The biggest mistake US companies can make is to think of data privacy law as something restricted to Europe. It’s already here. The sooner US companies get in front of the standards set by the GDPR, the easier it will be to comply with any other privacy laws that become relevant to a company’s jurisdiction.

Privacy laws are being enacted in the majority of the states. One of the strictest privacy laws to pass in the US so far is the California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020. 

What does GDPR do?

GDPR gives ordinary people an unprecedented amount of control over the personal information organizations can collect, retain, and process. It grants individuals the privacy and security of their personal data as a fundamental human right. 

All organizations operating within or outside of the EU that deal with any data of EU citizens, directly or indirectly, must have a lawful basis for collecting and processing personal data. Along with this required legal basis comes the responsibility of keeping that data safe and responding to a consumer’s request to amend, delete, or obtain a copy of it.

What is personal information under the GDPR?

  • Names, addresses, phone numbers, ID numbers, bank details, etc.
  • IP addresses, cookies, tags, pixels, email addresses, user names, Instagram and Facebook posts, Tweets, stories, etc.
  • The following data has special rules and companies need to be very careful with it — Biometric data, health data — physical and mental, racial or ethnic data, political opinions, philosophical or religious beliefs religious, trade union membership, sex life and sexual orientation. Article 9(1) 

When is it legal to collect and process personal information under GDPR?

Before you can ask for and collect anyone’s personal data, you need to have a legal basis for its collection and use — the GDPR outlines six lawful bases for collecting and processing someone’s information:

  1. Consent: The user has given you explicit consent to process specific data for a particular reason.
  2. Contract: You need to collect and process data to carry out a contract you have with the user.
  3. Legal obligation: You need to collect and process data to comply with the law.
  4. Vital interests: You need to collect and process data to save someone’s life.
  5. Public task: You need to collect and process data to complete a job that is in the public interest, or part of your official functions as a public officer, and the job has a clear lawful basis.
  6. Legitimate interests: You need to collect and process data for your legitimate interests, or the legitimate interests of a third party — unless that interest is overridden by the fundamental rights and freedoms of the user granted by the GDPR.

For most US companies, consent, contract, and legitimate interest are the legal bases that are most applicable. ( Legal obligation, vital interest, and public task are designed to cover organizations engaged in public services and health.) 

Let’s discuss what consent, contract, and legitimate interest might mean to US companies so that you understand the extent to which you’ll need to redesign how you collect personal data, where you store it, and who you share it with, to comply with the GDPR.

What does consent mean under the GDPR?

Users can’t really give consent to something they don’t understand. The burden of making your intentions clear to your consumers in transparent and understandable language falls on you, the company, entirely. Not only do you have to be completely transparent with your consumer base, but you have to be able to prove to any privacy authorities that you have been. 

All communication with a user regarding their consent needs to be readable by the average person, not just lawyers. This does away with long illegible privacy policies full of legal and technical jargon. It requires companies to overhaul their privacy policies, terms and conditions, disclosures, opt-in boxes, and any other communication regarding a user’s data to comply with GDPR standards. 

What you need to do when you ask for consent

When you ask for consent, it needs to be informed consent. You have to explicitly layout in everyday language why you want a user’s information and what you intend to do with it. 

You also have to advise users of their right to opt-out, request deletion, correction, transfer, and copy their data. Whenever you request consent for a users information, you must include the following:

  • Who you are and your contact information
  • The contact of the Data Protection Officer (DPO), if you have one
  • The purpose for requesting the data
  • The legal basis for requesting the data
  • If the legal basis is legitimate interests pursued by you or by a third party, you have to say what those legitimate interests are
  • Identify who else will process data if there are any third parties involved

Two essential points about consent are:

Consent must be freely given:  You must be able to prove that consent was freely given. Your request for consent must be in clear and understandable language.  

Consent can’t be a precondition to using services: Consent must be separate from all other terms and conditions. This means that there is no longer a legitimate way to bundle a bunch of services and permissions together and simply provide an “I accept” checkbox. Nor can you use a pre-checked opt-in box or any other default method. 

Transparency in privacy policies and opt-ins under GDPR

The first step in transparent and informed consent is revising privacy notices, disclaimers, and cookie notices to include all of the information that the GDPR requires in simple, readable language. The GDPR wants you to inform users of the following:

  • What data do we collect? — Identify what data you collect. Name, email, phone, etc.
  • How do we collect your data? — Explain how data is collected. Forms, opt-ins, web browser, etc.
  • How do we use your data? — Explain exactly how the data will be used. Process an order, email list for additional services, etc.
  • How do we store your data? — Explain how data is stored, its location, and your security features. 
  • Marketing — What 3rd party companies you share data with, and the ability of users to opt-out!
  • What are your data protection rights? — You must inform users of their rights under GDPR:
      • The right to access – Users have the right to know what data you have
      • The right to rectification – Users can ask you to correct their data
      • The right to erasure – Users can ask you to completely erase their data
      • The right to restrict processing – Users can ask you to restrict data processing
      • The right to object to processing – Users have the right to stop you from processing their data altogether
      • The right to data portability – Users can ask you to send their data somewhere else
  • What are cookies? — Explain what cookies are. 
  • How do we use cookies? — Explain precisely how you use cookies. Keep you signed in, track your purchases, etc.
  • What types of cookies do we use? — You must explain every function used under your cookie policy. Functionality, advertising, etc.
  • How to manage your cookies — Give all users the ability to opt-out of any type of cookie functions. Explain how it might affect user experience on your site.
  • Privacy policies of other websites — Explain that your privacy policy doesn’t cover websites you hyperlink to.
  • Changes to our privacy policy Provide the latest date you updated your privacy policy. Explain how and when you update your privacy policy.
  • How to contact us — Provide, email, phone, and physical address.
  • How to contact the appropriate authorities — For the GDPR, this is the Information Commissioner’s Office (ICO). But US companies should also include any other data privacy authorities that may cover their jurisdiction.

What revising your privacy policies means to your business processes

It stands to reason that before you revise your existing privacy notice to a privacy notice that outlines everything you promise to do, you need to have set up both the technical and business processes to be able to do what you say.

To anticipate the changes in purpose and legal basis that occur in data processing, you’ll need to walk through the timeline of all your business processes that involve the collection, processing, and retention of data — who has access to it and why. Then you can be clear about what needs to go into your privacy notices, terms and conditions, disclosures, opt-in boxes, etc.

Can I use legitimate interest as a lawful basis to collect and process data under GDPR?

Legitimate interest may sound ambiguous enough to slip in marketing or tracking cookies or pixels and justify it as a legitimate interest of your organization. However, remember the requirements above for consent? One of the requirements for obtaining consent is letting the user know precisely what your legitimate interest is if you plan on using legitimate interest as a legal basis for data collection. You need to do so in simple language and give them the right to object.

The bottom line here is that there is no sneaky way to get around being completely transparent and upfront with users about why you want their data from the very beginning. 

Can I use contract as a lawful basis to collect and process data under GDPR?

If you’re selling someone a product online, you’re going to need their credit card information. And if you’re delivering that product, you’ll need their address. So, you deliver the product and, for all means and purposes, no longer need their address to complete the contract. Do you have to delete it?

Maybe you need to keep a record of their address for your accounting procedures. And since you must engage in proper accounting to be able to enter into valid sales contracts in the first place, you could argue that keeping and processing the address is necessary under the same legal basis. 

What happens to data you’ve collected when you’re done with it is still your responsibility

Let’s say the bank processing your customer’s credit card information needs their address to process the payment and also needs to hold onto the address to comply with laws that require the bank to keep this information. Has the legal basis changed? Yes, and you need to be aware of this.

The bank is a processor that got the address from you, the controller. And the bank has to process the data under a legal obligation. So, the legal basis for the bank, the processor, for holding onto the address that they got from you, the controller, is no longer Article 6(1)(b) contract but is now Article 6(1)(c) legal obligation. You, as the controller, have to anticipate this from the onset.

You can’t respond to a user’s request about their data if you don’t know where it is

This example supports the need for US companies to walk through their business procedures involving data and look at them in a new light. To stay in compliance, as the company in the data controller role (you collected the information in the first place), you need to walk through your data supply chain so that you know where the data you collect is held, who is processing it, and why. 

You must be able to respond to users’ requests regarding their data, and you can only do that when you know where there data is. Only then can you make sure that you are in compliance. Most companies will have to make some changes to how they collect, store, and process data to be able to comply with the GDPR. They will also most likely have to amend their data governance plan and data governance team.  

Challenges for compliance with GDPR

One of the biggest challenges companies face becoming compliant with new data privacy regulations blazing around the globe is that much of the data collected, controlled, and processed today exists in unstructured storage, both on-site and in the cloud. That data is shared with 3rd party processors further complicates the issue.

Firms have to be able to locate and quantify the personal data stores they hold to minimize risk. You should only keep the data that is necessary for those business purposes that you can prove you have a valid legal basis for, as discussed above.

Penalties of non-compliance with GDPR

GDPR can impose some pretty hefty fines on data controllers and processors for non-compliance that can range from 10-20M Euros, or up to 4% of global annual revenue, whichever is higher. GDPR also establishes a private right of action for material or non-material damage caused by controllers or processors who violate the GDPR. 

For those of you who still think these fines won’t apply to you, know that the California Consumer Privacy Act (CCPA) fines are similar.

Other disadvantages of non-compliance with GDPR

Beyond penalties, the reasons for taking the GDPR seriously are that global consumers and B2B companies already expect you to. If you control or process data, your clients and business associates will be asking if you are GDPR compliant because they can get in trouble if you aren’t.

To put it bluntly, you could lose customers if you are not GDPR compliant. And you may lose trust. It’s harder to regain a customer’s trust than it is to get it in the first place. You want the PR for your brand to celebrate your accomplishments, rather than have to defend your misgivings.

The advantages of complying with GDPR

In the long run, taking your company to GDPR compliance level is going to give you a much better understanding of where all the data is in your company. It will also help you become more effective and efficient in your business decisions. Your company will be more prepared to handle any data breach incidents. And you’ll be that much more ahead of the game when local privacy laws in your geographic region of governance take effect.

The upside of being GDPR compliant is that it can give you an edge in your industry, especially if you can beat your competitors to compliance levels 

In today’s digital business climate, data privacy and security is a huge selling point for those leading the way. Consumer trust is a new realm of marketing that companies need to take seriously. Get a handle on your network infrastructure and business processes, and align yourself with compliant vendors and service providers. You’ll protect the market share you have now, and set yourself up to grow that share tomorrow.