GDPR For US Small Businesses

Think the General Data Protection Regulation (GDPR) only applies for European Union (EU) businesses? Think again. This sweeping data protection resolution covers all organizations that process the personal data of EU residents regardless of their geographic location—including in the United States. Even if you are a small U.S. business, you have to adequately safeguard the digital information of EU customers or face hefty regulatory penalties. 

Fulfilling GDPR requirements can create unique challenges for U.S. entities as we currently have no comparable federal mandates governing information security. Some state statutes—most notably the California Consumer Privacy Act (CCPA)—have similar protocol, but their scope and breadth are overshadowed by the comprehensiveness of the GDPR. 

Accordingly, U.S.-based companies may have to build their data compliance protocol from scratch, which can be costly in terms of both time and resources. Luckily, we’re here to help. The following is an overview of the GDPR to help you navigate the requirements and avoid any potential compliance issues. 

What is the GDPR?

The GDPR is the most stringent data protection regulatory system in the world. It became effective on May 25, 2018 and replaced the former European Data Protection Directive. It was intended to ramp up data security measures, offering protection of EU citizens’ personal data from breaches amid technological advances and increased instances of cybercrime. 

There is a total of 99 GDPR provisions, rights and obligations. The majority of these are requirements imposed on businesses that collect, process, transmit or store the personal data of EU “data subjects.” Additionally, the GDPR affords eight key rights to individuals with regards to their online personal information. These rights are explained below:

  • The Right to Be Informed: The GDPR gives EU citizens the right to know that a company is collecting their personal information and how they will utilize it in the course of business operations, how long they will use it, and what entities they will share it with
  • The Right of Access: The GDPR gives subjects the power to access their data after it has been collected. This access must be provided free of charge and in less than 30 days following the request of the citizen 
  • The Right to Rectification: Data subjects are allowed to correct any errors in their personal data. These changes must be made in less than one month after a business is notified of the incorrect information 
  • The Right to Erasure: In certain instances, EU citizens can request to have all of their personal information deleted from an organization’s database
  • The Right to Data Portability: Individuals can obtain their data, reuse it, or transfer it from one location to another
  • The Right to Object: Individuals can object to businesses processing their personal data for direct marketing
  • Rights in Relation to Automated Decision-Making and Profiling: The GDPR allows automated decision-making and profiling to only be conducted in specific instances, and businesses must obtain consent before doing so. Data subjects can request human involvement, challenge a decision and monitor a businesses’ systems to ensure they are operating correctly

What is Considered “Personal Data” Per the GDPR? 

According to the text of the statute, a data subject is anyone “who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identify of that person.” 

Let’s take a second to unpack that definition. Essentially, the GDPR takes a broad approach when determining what qualifies as personal data. The “identifiers” mentioned in the definition include IP addresses, cookie identifiers and radio-frequency tags that are linked to genetic, biometric and health data, and personal data revealing racial or ethnic origin, political affiliation, religious or ideological beliefs or trade union involvement. 

Am I a Data Controller or Data Processor?

Per GDPR guidelines, the processing of personal data can only be conducted by authorized data controllers and data processors. Article 4 of the GDPR defines each as follows: 

  • Controller: Natural or legal person, public authority, agency or other entity which, alone or jointly with others, determines the purposes and means of the processing of personal data
  • Processor: Natural or legal person, public authority, agency or entity which processes personal data on behalf of the controller

Thus, the controller determines the purpose and method in which the data will be processed and the processor actually carriers these directives out—they may or may not be within the same organization. 

What Counts as Processing? 

All of the following actions are considered “processing” of personal information under Article 4 of the GDPR: 

  • Collecting
  • Recording
  • Organizing
  • Storing
  • Altering
  • Retrieving
  • Disclosing
  • Combining
  • Restricting
  • Deleting

Additionally, Article 28 states that data controllers must implement strict vendor risk management protocol to ensure that their external data processors remain compliant with the GDPR including conducting systematic data privacy risk assessments for all third parties accessing personal data, continuously monitoring third parties, and maintaining records of GDPR compliance evidence. Entities must also ‘map’ GDPR-protected data, which tracks where the data is stored within the controller’s organization and its external vendors. 

How Can My Business Ensure GDPR Compliance? 

Ensuring that your organization remains compliant with the most comprehensive data privacy regulations in the world requires a considerable amount of preparation and planning, regardless of your business’ size or geographic location. The following are essential measures to implement in your workplace to ensure that you meet GDPR data protection requirements: 

  • Data Mapping: This process starts with access to all the data that your business has collected and stored from customers. You will need to conduct a thorough inventory of this information and document it regularly. 
  • Data Classification: The GDPR permits any EU resident to retrieve their data from your company and provide it to another entity (‘data portability’). The GDPR also permits subjects to request that you delete all of their stored information. In order to comply with these regulations, you will have to be able to efficiently identify and recall all of the requestor’s information—and the optimal way to accomplish this is to tag or classify every piece of personal information in your server. 
  • Implement GDPR Policies: In order to effectively manage your GDPR compliance initiative, you must actively organize your businesses’ handling of personal information. Proper governance entails establishing policies and procedures to ensure that all processing, storage and utilization of personal data is in accordance with the law. These policies should clearly define roles and responsibilities, dictate who may access data and for what purposes. 
  • Safeguard Data: It is of the utmost importance that you encrypt the data you store so that it is rendered unusable except by authorized parties. Additionally, you should only retain data as long as you need it for legitimate business uses before responsibly and safely disposing of it.
  • Conduct Regular Audits: Did you know that you must notify affected EU citizens within 72 hours of a breach or unauthorized disclosure of their personal data? Do you have the ability to do so? Self-audits are a good way to identify any compliance gaps prior to being audited by a regulatory agency. 
Francine E. Love
Connect with me
Founder and Managing Attorney at Love Law Firm, PLLC which dedicates its practice to New York business law