GDPR Compliance Checklist For US Companies

GDPR Compliance Checklist For US Companies

Table of contents

Show more Show less

The General Data Protection Regulation (GDPR) has been in effect in the European Union since May 2018, yet plenty of companies still struggle with compliance, even in the EU. 

 

It’s not just European companies that have to navigate the complexities of data privacy compliance with the GDPR and ePrivacy Directive. Any company that handles consumer data in regulated ways, and wants to do business in the EU, needs to take compliance seriously.

 

However, GDPR compliance is also valuable for doing business in the United States. The states that have already passed data privacy laws, most notably California, have borrowed heavily from the GDPR in drafting their regulations. Having passed first, California’s laws – the California Consumer Privacy Act (CCPA) and upcoming California Privacy Rights Act (CPRA) – have in turn been influential on legislation drafted by other states.

Being GDPR-compliant also puts US companies ahead of the game in ensuring state-by-state compliance at home. By adopting best practices, there’s less work and disruption needed in the future as more regulations are passed.

 

The following information and checklists will help determine your company’s GDPR compliance requirements and steps to take. Please note that due to differences in implementation and enforcement among EU countries, we strongly recommend that you consult with a lawyer specializing in data protection and privacy to ensure that your data strategy is fully GDPR-compliant.

Does your company need to be compliant with the GDPR?

An obvious first question for American companies is, “Does the GDPR apply to us?” If your company does business in the EU, then yes, you do need to be GDPR-compliant. This can include having an office in the EU, having partners or customers in the EU, or having website visitors who are in the EU. 

 

The EU-US Privacy Shield Framework included an adequacy decision from the European Commission. This was somewhat based on GDPR compliance, even if Privacy Shield compliance didn’t confer full GDPR compliance prior to July 2020. However, it only governed the flow of personal data for transatlantic data exchange, so in many cases also pursuing GDPR

However, the 2020 Schrems II decision invalidated that Framework, so Privacy Shield compliance is no longer relevant and full GDPR compliance is required.

GDPR requirements, definitions, and how they affect US companies

Let’s look at some ways that the GDPR’s requirements are unique. For example, while laws in the US, like the CCPA, are centered around consumer protection, the GDPR regulates data protection more comprehensively. That includes the B2C and B2B sectors. GDPR stipulations require organizations to appoint a data protection officer under a number of operational circumstances. This isn’t necessarily the case under American laws.

 

But the biggest difference between the US and the EU is with regards to personal data. Under the GDPR, users must provide explicit opt-in consent to having their personal data collected and used. In the US, however, an opt out model is used. So companies can collect data, but have to provide a clear and easy way for users to reject the disclosure and/or sale of that personal data.

 

Definitions of personal data, personally identifiable information, and specific requirements for data to be “sensitive” also vary among different privacy laws. We explain the similarities and differences in depth: Personally Identifiable Information (PII) vs. Personal Data – What’s the difference?

 

Under the GDPR, personal data refers to …any information that relates to an individual who can be directly or indirectly identified. Names and email addresses are obviously personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data. Pseudonymous data can also fall under the definition if it’s relatively easy to identify someone from it.

 

For data processing to be legal under the GDPR, per Art. 6 one legal basis (legitimate justification), such as obtaining compliant user consent, must be met. It must be documented and clearly communicated to the data subject (person whose data is processed, like site visitors or customers). 

 

The data controller (i.e. a company) can meet additional legal bases over time, but it can’t just change the one previously chosen. There would need to be a compelling and defensible reason, documentation, and notification of data processors (third parties that process personal data on behalf of data controllers) and data subjects.

For users’ consent to be GDPR-compliant, there are seven criteria that must be met. See our article 7 Criteria for a GDPR-compliant Consent for detailed information on those criteria and what that means for websites’ cookie banners.

Protection and regulation of children’s data

Under the GDPR, processing of personal data is generally only permitted for children aged 16 and older. Parental or guardian consent must be obtained for data processing requests for children under 16. 

 

Some EU Member States enable reducing the age limit to 13, but not all of them do. Additionally, as confirming user age can be ambiguous on some websites, obtaining explicit consent from all users is recommended.

GDPR compliance checklist

✅  Make data privacy and protection a key consideration in all aspects of development and operations. Building in compliance is more efficient, cheaper, and less resource-intensive than retrofitting it. Especially if a company ends up with fines for violations.

 

✅  Create an internal security policy for employees, partners, and contractors and keep it updated. Ensure that it is clear and comprehensive to the company’s operations and specific roles within the organization where accessing personal data is necessary.

 

✅  Know what a data protection impact assessment is and have a process to carry it out.

 

✅  Wherever possible when personal data is collected, anonymize, pseudonymize and encrypt it.

 

✅  Have a process in place to notify data subjects and the correct authorities within the required time frame in the event of a data breach.

 

Requirement

Key Actions

Details

Operations

✅  Know what data you collect, store, and use
  • Conduct an information audit to learn and document:
    • what data you collect
    • why it is collected
    • who has access to it (including third parties)
    • how and where it is stored/protected
    • how long it is kept
    • how it is expunged
  • Organizations with 250+ employees, or that conduct higher-risk data processing must keep an up-to-date and detailed list of their processing activities, which can be shown to regulators on request. (Companies with fewer than 250 employees should still do these audits and maintain this information.)
✅  Have a legal basis for data processing activities
  • Determine under which legal basis you process data.
  • Determine what additional conditions may apply.
  • Document the rationale for your organization’s chosen legal basis and be prepared to present it to regulators.
  • Legal basis is determined based on the six conditions under Art. 6.
  • There are additional provisions relating to children and special categories of personal data in Arts. 7-11.
  • Be aware of the extra obligations if consent is your chosen legal basis.
✅  Appoint appropriate officers and representatives to manage data privacy and protection initiatives.
  • Designate a privacy/compliance officer in your organization.
  • Appoint a representative within the EU if your organization is outside (e.g. US).
  • Determine if your organization needs a Data Protection Officer, and appoint one if required.
  • The internal officer needs to be able to understand the needs of ongoing compliance, work on drafting, reviewing, implementing and enforcing the policies.
  • Processing data of people in particular EU member states requires a representative in each country who can communicate on your behalf with data protection authorities.
  • A Data Protection Officer is needed if the organization:
    • is a public authority
    • large scale data processing is a core activity
    • large scale data processing of special categories’ data is a core activity.
✅  Create and use a data processing agreement with third parties. 
  • Any third parties that process data on your behalf need to sign a data processing agreement that clearly outlines how data is to be transferred, stored, protected, used, and erased.
  • This can include email hosting, cloud services, analytics software, etc. 
  • Ensure rights and obligations of both parties are clear.
  • Reputable services should have a data processing agreement for review on their websites.

Users and Customers

✅  Duty to provide information
  • Let users know clearly that you are using cookies or other tracking technologies on your website.
  • Explain what the tracking technologies are doing and why (purpose).
  • Include this information in a Privacy Policy that is easy to find, read, and understand.
  • Review and update the Privacy Policy at least every 12 months.
  • Include the following information in the Privacy Policy:
  • Name and contact of data controller
  • Purpose of data processing/tracking technologies
  • Categories of users and personal data; 
  • Transfers of personal data to third countries;
  • Time limit of deletion of personal data;
  • General description of security measures (to be prepared for e. g. against cyberattacks)
✅  Obtain explicit consent
  • Obtain users’ explicit consent to use tracking technologies and to store cookies on their device(s).
Consent must be:

  • Explicit: active acceptance, e.g. ticking a box or clicking a link
  • Informed: who, what, why, for how long?
  • Documented: you have the burden of proof in the case of an audit
  • In advance: no data is to be collected before opt-in, e.g. cookies cannot be set on your website before the user has consented to them  
  • Granular: individual consent for individual purpose, i.e. consent cannot be bundled with other purposes or activities
  • Freely given: e.g. “Accept” and “Reject” button or equal size and prominence
  • Easy to withdraw: opt out on the page, and easily accessible later if user changes their mind

Exception: strictly necessary cookies (aka essential cookies)

 Setting cookies
  • Collect and process data with cookies only with valid consent. 
  • Loading: ensure cookies are not loaded until the user has given consent
  • User Refusal: if a user rejects cookies, no cookies can be set, however, users should still be allowed to use your website/access your service even if they refuse to allow the use of certain cookies.
✅  Legally compliant documentation 
  • Document and store consent received from users.
  • Data Protection Authority (DPA) Audit: comply with documentation obligations and be able to demonstrate users’ consent in case of an audit by data protection authorities.
✅  Opt out
  • Rejecting the use of cookies or other tracking technologies must be as easy to access and use as consenting.
  • Easy in, easy out: it must be as easy for users to withdraw their consent at any time as it is for them to give it.
  • External links: linking to a separate page for opt out is not sufficient. 
  • After Opt-out: ensured that no further data is collected or forwarded from the moment the consent request is rejected or rescinded, i.e. the opt-out must also be technically linked to the cookie and, ideally, documented.

Data subjects’ (customers/users/visitors) privacy rights

It must be clear and easy for customers to…

 

✅  object to you processing their data

 

✅  request and receive all of the data you have about them in a timely manner

 

✅  request correction or update to inaccurate or incomplete data

 

✅  request deletion of their personal data and have it completed in a timely manner

 

✅  have you stop collecting and processing their data

 

✅  receive a copy of all of their personal data that you have for them, which can be transferred to another entity

 

✅  have processes and policies in place to protect their rights if you make decisions about them based on automated processes.

Google claims that all data will be anonymized and recorded in aggregate form if the user does not consent to Google Analytics tracking. There are differing opinions regarding whether or not tracking technologies can be used without user consent, however.

 

According to the Orientation Help for Providers of Telemedia from the Datenschutzkonferenz (DSK), reach measurement can indeed represent legitimate interest for the website operator. If no personal data is forwarded to third parties, like Google, and data is not to be used for the third parties’ own purposes, it is possible to claim legitimate interest. 

 

Do not assume, though, that claiming legitimate interest means consent is not needed. You, as the data processor, would need to be able to prove that the data is being processed with the users’ best interests in mind. You would also need to document the claim of legitimate interest, the reasons for it, and all requirements to secure data collected would continue to apply, as noted in the checklists above.

 

If a website operator thinks they can reasonably claim a legal basis other than collection of user consent – for example, legitimate interest – then they must ensure that their own interests count more than the interests of the website users. Another option would be claiming no legal basis by ensuring that  100 percent of users have fully anonymous interactions with the website 100 percent of the time. 

 

Website operators must also ensure that users’ personal data is not forwarded to servers in the United States (“third country”) from the European Union (from the Schrems II decision). If this cannot be guaranteed, then consent always has to be collected.

 

Making this even more tricky is that, even if claiming legitimate interest, since IP address is transmitted during most users’ website activities, and the German Federal Court of Justice considers IP address personal data, there is a strong argument that fully anonymous interactions with a website are not possible in most cases under EU law.

The UK, US and GDPR

As of January 1st, 2021, the United Kingdom’s transition period to leave the EU completed, and it was no longer a member state. As a result, the GDPR no longer applied there. However, the UK now has an adequacy decision from the European Commission, so their “UK GDPR” is sufficient to allow continued flow of data.

 

Companies in other countries, like the US, do need to keep abreast of new or changing regulations in all partner countries, particularly with any divergence from the GDPR in the future. The US is also in the process of negotiating a new agreement with the EU to replace the Privacy Shield, and once that is settled, it will likely make similar arrangements with the UK.

Retain counsel

As we have mentioned, the precise implementations and interpretations of the GDPR varies among member states. And only once your company has undertaken a data audit you will know exactly how GDPR requirements apply to your organization and customers. We do not provide legal advice, and strongly recommend engaging legal counsel specializing in data protection and privacy to ensure your company’s GDPR compliance efforts are robust and compliant.