If you are a US company that directly processes the personal data of EU customers, you are considered a data controller under GDPR. But what if you are an American B2B company, who handles that data on behalf of an EU business? That makes you a data processor rather than a controller. You will have less legal duty than the controller, but must still comply with GDPR by law.
Supposing your EU client abruptly asks for your GDPR compliance? You will need to be ready or risk losing business.
US companies have no GDPR equivalent at a federal level, but must observe EU law if they process EU personal data. This avoids fines and gives preparation for the US federal laws that will surely arrive soon. The world is waking up to data protection. What can a US data processor do to protect itself against GDPR breaches?
Few tasks are more important to GDPR compliance than identifying where you store all your data. A major risk of non-compliance occurs when companies lose control of their data and lose sight of exactly where it resides. You need data mapping to combat “data sprawl”. As a US company, you must know what EU data you process and all the places you store it. The worst thing any company can do is bury its head in the sand over this.
Do You Share EU Data with Another US Company?
Under GDPR, a processor that handles data for another processor is a “sub-processor”. In this blog post, this refers to a US company that processes EU data on behalf of another US company, which in turn, processes data for an EU controller.
In such situations, the sub-processor must also be GDPR-compliant. A key principle of GDPR is the complete lack of loopholes: every party carries legal responsibility. A contract should exist between processors and sub-processors that mirrors the responsibilities between controller and processor.
Can You Quickly Isolate Personal Data?
Another vital part of GDPR compliance is the ability to quickly access and isolate data. Data subjects have various access rights, including the right of erasure (aka “the right to be forgotten”). In that instance, your company needs to be able to efficiently locate all data held on the subject and cut it clean from the records. If you are a small to mid-sized company—bearing in mind that GDPR applies to all business sizes—GDPR compliance software can help you with this, as well as with data mapping.
Appointing an EU Representative
A US company without any physical presence in the EU (including legal entities and subsidiaries), needs an EU representative under Article 27 of the GDPR. This is not the same role as a DPO (data protection officer). The latter focuses on internal compliance, whereas an EU representative acts as an intermediary between a non-EU company and EU data authorities.
An EU representative has to be based in the European Union for ease of communication. One possible answer is to assign an EU rep through GDPR consultants 123 DPO. An alternative solution for companies with the resources is to set up a subsidiary in the EU, which would avoid the need for an EU representative.
Think About Joining the EU-US Privacy Shield
Introduced in 2016, the EU-US Privacy Shield is an optional framework for the transferal of personal data between the EU and the US. While the Privacy Shield is less severe than GDPR, it is subject to yearly revision and provides a useful roadmap towards compliance.
Act Quickly on Data Breaches
Data controllers must inform authorities as soon as they find a data breach. A B2B US data processor has the same obligation to its EU controller under GDPR. Data breach management is an important part of any GDPR solution and is a feature of GDPR 365 compliance software. This responsibility to report must be contractually agreed between companies sharing data.
Contracts Between Controllers and Processors
A written contract must exist under GDPR between controllers and processors. The same is true between processors and sub-processors. Processors cannot act without the approval of the controller. For example, they can only engage a sub-processor with the controller’s consent.
Get Ready to Prove Yourself
Under GDPR, EU companies must be able to prove compliance. There must at least be a clear path towards it to avoid fines after a breach. Whether regulators act or how harsh they are depends on the company’s resources and the extent of its offense. Thus, violations by Google resulted in a €50 million fine.
A US company processing EU data becomes liable for GDPR compliance. It’s like the domino effect. Can you show compliance to EU clients and prove you aren’t a chink in their GDPR armor? You must have the necessary system and security in place alongside trained staff that are familiar with GDPR needs. Your employees should sign confidentiality agreements that highlight their obligations.
Now’s the Time
Studies show that US companies have been slower to comply with GDPR than their European counterparts. Distance alone makes that no surprise. And yet it’s vital for US businesses that process EU data to quickly get on board with GDPR. This not only preserves their existing business, but readies them for the federal laws likely to come. That’s not to mention more demanding state laws, such as those on the horizon in California.
If you are a US data processor that is yet to catch up to GDPR, get started now!