HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Requirements for US Companies

A new European data privacy and security law – The General Data Protection Regulation (GDPR) – has been introduced, and while this law applies in Europe, there are also GDPR requirements for US companies, including for organizations in the healthcare sector.

The new law, which has an effective date of May 25, 2018, requires a swathe of protections to be introduced to keep data of EU consumers secure and to protect their privacy. Healthcare organizations are in a good position to comply with GDPR regulations since they are already required to comply with the HIPAA Privacy, Security and Breach Notification Rules. However, being HIPAA compliant is no guarantee that healthcare organizations will not fall afoul of GDPR.  GDPR requirements for US companies cover aspects of privacy and security not required for HIPAA compliance.

Why Does GDPR Apply to US Companies?

GDPR is concerned with protecting the privacy of EU citizens and securing their data, so why are there GDPR requirements for US companies? The reason for GDPR is to give data subjects greater control over the information that is collected, stored, and used by others. It doesn’t matter where in the world an entity is located, if that entity does business with EU citizens that involves collecting or processing personal data they must comply with GDPR. Simply complying with existing data privacy and security regulations in the country in which the entity operates is not sufficient.

Does GDPR Apply to EU Citizens in the US?

GDPR does not only apply to EU citizens who are in the EU. It applies wherever in the world EU citizens are located. Therefore, the data of any EU citizens working in the US, vacationing in the US, or receiving medical treatment in the US is subject to the same protection as if the EU citizens were working, vacationing or receiving medical treatment in the EU. US businesses who employ EU citizens among their domestic workforce will have to ensure their data security measures reach GDPR standards – whether applied selectively ot ro the entire domestic workforce.

GDPR Requirements for US Companies

GDPR naturally applies to multi-national companies that have a base in the EU or do business in the EU, although simply closing an EU base is not sufficient to avoid compliance with GDPR. GDPR is about data not where an organization has a base.

An organization may decide not to do business with EU citizens to avoid having to comply with GDPR, but even that decision must be implemented correctly. If you maintain a website that uses cookies, and it can be accessed by EU citizens, GDPR applies.

GDPR also applies to organizations of all sizes. It doesn’t matter if you are a small one-person practice or a large organization with thousands of employees. If you collect or process data on EU citizens, GDPR compliance is not optional.

GDPR replaces the EU Data Protection Act of 1998, which placed responsibility only on the data controller, not processors of data. If you processed data for another company (the controller) it would be that company that had to comply with past regulations. GDPR applies to both processors and controllers – Both parties are now responsible for protecting the privacy rights of EU citizens.

GDPR defines personal data as “Any information relating to an identified or identifiable natural person.” That includes names, addresses, telephone numbers, email addresses, credit card details, financial information, medical information, posts on social media websites, and an individual’s IP address.

The rights afforded to EU citizens and the major GDPR requirements for US companies include:

  • Ensuring data is only collected when there is a legal and lawful reason for doing so.
  • Obtaining consent before personal data is collected, stored, or processed.
  • Obtaining consent from parents or legal guardians before children’s data is collected or processed.
  • Implementing controls to ensure the confidentiality of data is safeguarded.
  • Training employees on GDPR and the correct handling of personal data.
  • Ensuring EU citizens’ right to be forgotten can be honored and that it is possible to permanently erase all collected data.
  • Ensuring EU citizens are informed about how their information will be collected and used, similar to the Notice of Privacy Practices required by HIPAA.
  • Making sure data transfers across borders occurs in accordance with GDPR regulations.
  • Putting data breach notification policies in place to ensure EU citizens receive notifications of a breach of their personal data.
  • It may also be necessary for organizations to appoint a Data Protection Officer. That individual must have a thorough understanding of GDPR requirements for US companies as well as the infrastructure and organization of their company.

What Do US Companies Need To Do Now to Ensure Compliance with GDPR?

  • The GDPR requirements for US companies depend on whether you are a data controller or data processor. Determine whether you are a controller, processor, or both.
  • Ensure you are aware of all data you collect or use, that you know where the data came from, every entity it has been shared with, and every location where it is stored. You must conduct a full audit, which can be a labor intensive and time-consuming process.
  • Determine whether you need to appoint a Data Protection Officer and designate a contact that will liaise with the GDPR supervisory body.
  • Develop consent and disclosure forms covering all possible uses of data.
  • Ensure you can detect, respond, and report on data breaches and have policies in place to notify EU citizens of those breaches.
  • Check your Notice of Privacy Practices and make sure it meets GDPR requirements.
  • Make sure your business associates and their subcontractors are aware of their requirements under GDPR.
  • Check your policies on data retention and make sure they meet GDPR requirements. There is a maximum time limit for the storage of data on EU citizens and data can only be kept until the purpose for which the information has been collected has been achieved.
  • If you transfer data across borders, you must ensure that GDPR requirements are satisfied.

What are the Penalties for Noncompliance with GDPR

Fail to meet GDPR requirements for US companies and you could be fined by the EU. The penalties for noncompliance with GDPR can be severe. A violation of GDPR can attract a fine of up to 20,000,000 Euros ($23,138,200) or 4% of the company’s annual global turnover, whichever is higher. That is far in excess of the penalties for HIPAA violations. However, that fine could be higher.

Becoming GDPR Compliant May Not be Straightforward

Since achieving compliance with GDPR may not be straightforward, meeting the May 25 deadline could be difficult, especially for any organization that has yet to develop their compliance program. Forward thinking companies started their compliance programs soon after the EU directive was finalized, although many firms have yet to begin.

According to figures from PwC, 68% of organizations have committed between $1 million and $10 million to meet GDPR requirements for US companies. 9% of US firms say they have allocated more than $10 million to GDPR compliance.

If you are unsure how GDPR affects your business, whether your compliance program is adequate, or if you don’t know where to start with GDPR compliance, it is strongly advisable to seek advice from compliance experts who can guide you through the process and ensure, come the deadline, your policies, procedures, systems, and data privacy and security practices are up to the standard required by the new EU Directive.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.