Blog Post
GDPR compliance in the US: What differs from European firms responsibilities?
A Recap of the GDPR in the US
The European General Data Protection Regulation (GDPR) came into force on May 25, 2018. It aims to protect the security and privacy of personally identifiable information (PII) of EU citizens and residents.
The regulation applies not only to European nations, but to businesses worldwide processing personal data of EU citizens including US organizations operating both within and outside the region.
In the five years since its introduction, the GDPR has become the global benchmark for privacy and data protection legislation. Among the laws it has influenced are the Californian CCPA and CPRA, the Colorado Privacy Act and the Connecticut Data Privacy Act, all becoming enforceable throughout 2023.
Extra-Territorial Scope and International Cooperation
Because the remit of the GDPR is to protect the personal data of EU citizens and residents, the regulation applies to the data rather than where in the world it is or who is collecting and processing it. This means that US organizations collecting any personal data of European “data subjects” must comply with the regulation.
Article 50 of the GDPR establishes the framework for international cooperation that makes the regulation enforceable beyond its jurisdictional borders.
Many US-owned businesses have fallen foul of the regulation and this cooperation has led to some of the largest penalties issued under the regulation, including fines with a combined total of €895,000,000 against the Meta group of companies.
GDPR Compliance in the US
The obligations for US organizations are broadly no different from those of their European counterparts. The principles of the GDPR apply regardless of the geographic location of the company if they’re collecting EU citizens’ data. This means they must uphold the responsibility to:
- Be transparent, fair and lawful in the way information is collected, advising individuals’ what data is collected and what it is used for.
- Limit use of the data only for the stated purpose.
- Minimize the amount of data captured only to that necessary for the stated purpose.
- Ensure data collected is accurate and kept up to date.
- Limit the storage of personal data to a defined data retention period and delete it when no longer necessary.
- Implement controls to ensure data security and maintain the confidentiality and integrity of individuals’ personal data.
- Be accountable and able to evidence compliance with the regulation whenever requested by authorities.
Additionally, US businesses are also required to appoint a representative based in one of the EU member states, who must be granted the authority to act on behalf of the organization under the regulation.
Managing GDPR and US Privacy Compliance
The overlap of US privacy legislation with the GDPR helps organizations streamline their compliance efforts.
Organizations can further simplify this process with a clear understanding of the data they collect and process, with the ability to identify the nationality and location of individuals’ data, to determine whether GDPR and other global and US privacy laws apply.
Ground Labs’ Enterprise Recon simplifies this process by automating the discovery process and focusing on specific targets based on over 300 pre-packaged data types across 50+ countries.
Find out how to create a data inventory that supports GDPR and US privacy compliance, with your free copy of our e-book, Are You At Risk? A Compliance Checklist