GDPR Compliance Analysis for US Businesses

The GDPR issue is about compliance with a set of rules established by the European Union regarding privacy and handling personal information of people. If you implement the EU rules in your business now, three results occur. One, you will “brush up” your practices regarding third party data which better protects your customers and others. Two, you will avoid possible lawsuits by third parties, especially those people who are “trolling” for lawsuits. Three, you will have a marketing benefit to discuss with your customers and users.

Compliance Questions:
(1) Does your business maintain any stable, organized establishments in the EU?
If yes, what type of personal data processing does that involve?

(2) Does your business offer goods and/or services to persons in the European Union?
If yes, what type of personal data processing does that involve?

(3) Does your business monitor the behavior of persons in the European Union?
(Behavior monitoring, as defined in Recital 24, involves the tracking of persons on the internet and subsequent use of personal data processing, including profiling, especially to make decisions concerning the tracked person and/or to analyze or predict their personal preferences, interests, activities, economic situation, location or movements, health, performance at work, reliability, and attitudes.)

If yes, what type of personal data processing does that involve?

Is your website accessible to persons in the European Union?

Does your website automatically log IP addresses of visitors? If yes, how is that information processed?

Does your website use cookies? If yes, for what purpose? What type of personal data is processed?

(4) Does your business receive personal data from an establishment in the European Union?
If yes, what type of personal data does that involve?

What establishment in the EU transfers the personal data to your business?

What are their data protection practices?

(5) What security practices does your business currently employ in processing your clients personal data? (including organizational procedures and technical measures)
Is there an established code of conduct regarding who can access personal data?

Are there any third parties involved?

Compliance Steps:
(1) Data Mapping: Assess current personal data processing and the current privacy policy regarding the type and amount of personal data under firm control, whose personal data is collected, the risks associated with personal data under firm control, persons and entities involved, the purpose(s) of processing, the necessary scope of processing, and existing security measures

(2) Adopt and integrate new data protection principles into the privacy policy
(a) legality, fairness, transparency
(b) purpose limitation
(c) data minimization
(d) accuracy
(e) confidentiality & security

(3) Update employee code of conduct within privacy policy

(4) Update the consent procedure

(4) Update the procedure for the disclosure of the privacy policy (“Privacy Notices”)

(5) Update the provision of persons’ rights regarding personal data, including the right of access, right to erasure, right to rectification, right to restriction of processing

(6) Update the technical and organizational security measures and implement data protection by default and design

(7) Update the records keeping procedure

(8) Update the data breach procedure

(9) Update agreements with third party processors if applicable

(10) Update employment contract regarding the processing of employees’ personal data

(11) Update supplier contracts regarding the processing of personal data

(12) Inform all involved employees of the changes and conduct necessary training if needed