If you’re a US-based company that serves EU customers or tracks their behavior online, the GDPR likely applies to you. But the law is complex, rooted in a different legal system, and often overwhelming for American teams with limited resources. Missteps aren’t just risky—they’re expensive, with fines reaching up to 4% of annual global revenue.
This blog breaks down exactly how GDPR applies to US companies, outlines the key requirements, including rules around international data transfers and approved mechanisms for moving EU personal data to the US, and provides guidance on how to stay compliant without draining your time, money, or sanity. Whether you’re just entering the EU market or scaling operations, this guide will help you navigate compliance with clarity and control.
TL;DR
- Does GDPR apply to US companies? Yes, if they process data of EU residents or offer goods/services to them, regardless of their physical location.
- Vendor agreements and appointing a GDPR representative in the EU are vital steps for US companies to manage data processing risks.
- Non-compliance with GDPR can lead to significant fines, up to 4% of annual revenue or €20 million, whichever is higher.
What is GDPR compliance?
GDPR compliance is defined as the process of adhering to the General Data Protection Regulation, a privacy law from the EU. It governs how organizations collect, store, and process personal data of EU residents, ensuring transparency, consent, and data protection.It applies to any business—regardless of its location—that offers goods or services to EU citizens or monitors their online behavior. Failure to comply can result in significant fines, GDPR a critical standard for global data protection.
Controller vs processor: Understanding your role under GDPR
Before determining whether GDPR applies to your US business, it’s important to understand a foundational distinction the regulation makes between two types of entities:
- Controller: The entity that decides why and how personal data is processed. If your company collects customer data, sets the purpose for its use, and decides how it’s stored or shared, you are the controller and you bear the primary compliance obligations.
- Processor: The entity that processes personal data on behalf of a controller, strictly following the controller’s instructions. Cloud providers, payroll platforms, and analytics tools are common examples.
Why does this matter?
Your role determines your obligations. Controllers must establish lawful bases for processing, maintain records, respond to data subject requests, and appoint representatives. Processors have narrower but still significant duties; they must act only on documented instructions, maintain security standards, and sign GDPR-compliant agreements with controllers. Some organizations act as both, depending on the data and context.
Knowing your role before assessing GDPR applicability ensures you’re looking at the right set of obligations from the start.
Related read: GDPR data processor vs controller
Does GDPR compliance apply to US companies?
Yes, GDPR compliance applies to US companies if the type of data processed involves tools that monitor the online behavior of EU residents, such as tracking IP addresses or cookies of website visitors.
However, an important nuance: tracking IP addresses alone does not automatically trigger GDPR obligations. What matters is the intent and context behind the data collection. GDPR applies specifically when your activities are directed at EU residents, for example, offering goods or services to individuals in the EU, or when you are monitoring the behavior of individuals located in the EU. Simply having EU visitors land on your website without any deliberate targeting of the EU market may not be sufficient to trigger compliance obligations.
GDPR requirements for US companies
If your US business targets EU residents or tracks their behavior online, GDPR compliance is not optional. Here are the five most critical requirements:
- Lawful data processing
You must have a clear legal basis, such as consent, a contract, or a legitimate interest, for collecting and using personal data. - User consent and transparency
Consent must be explicit, informed, and revocable at any time. Your privacy policy should clearly explain data practices and user rights. - Data subject rights
EU individuals can access, correct, delete, transfer, restrict, and object to the processing of their data, and are protected against solely automated decision-making that significantly affects them. You must respond to these requests within strict timelines and maintain a documented process for handling them. - Vendor management
Any third-party vendors handling EU data must sign GDPR-compliant agreements and adhere to established security standards. - Breach notification
Data breaches must be reported to EU regulators within 72 hours and to affected users when the risk is high.
Also check out this video on GDPR principles:
How is GDPR carried out in the US?
GDPR is enforced on US companies through its extraterritorial scope. Any business that collects or processes data of EU residents must comply, regardless of physical location. EU supervisory authorities have the power to investigate violations and issue fines under a two-tier structure. Serious violations can attract fines of up to €20 million or 4% of annual global turnover, whichever is greater, while less severe infringements may result in fines of up to €10 million or 2% of annual global turnover. Beyond financial penalties, regulators can also impose corrective measures, such as suspending processing activities.
To meet these obligations, US companies must appoint a representative within the EU, adopt privacy practices aligned with the GDPR, and ensure that their systems are built to handle data subject rights, breach notifications, and risk assessments. Demonstrating compliance through proper documentation and internal controls is key to staying audit-ready and avoiding penalties.
EU GDPR vs UK GDPR: Do US companies need both?
Many US SaaS companies serving both EU and UK users assume a single GDPR framework covers both markets, but that’s not quite right. Following Brexit, the UK enacted its own version, the UK GDPR, which runs parallel to, but is separate from, the EU GDPR.
Here’s what US companies need to know:
- Two distinct frameworks: UK GDPR is closely aligned with EU GDPR, but is a separate legal obligation. Serving UK users means complying with both if you also serve EU users.
- UK representative: Just as EU GDPR requires an EU representative, UK GDPR requires a separate UK-based representative for non-UK organizations.
- Data processing agreements: A single DPA can cover both frameworks if carefully drafted to address the requirements of each.
- Transfer mechanisms differ: The UK has its own transfer tools, UK SCCs, and the UK Addendum to EU SCCs, distinct from the EU’s Standard Contractual Clauses.
GDPR compliance checklist for US companies
These rules apply to US based organizations who wish to operate in EU countries:
1. Map your data
GDPR applies only if you process personal data of individuals protected under this framework. Before determining your obligations, you need a clear picture of what data you hold, why you hold it, and how it flows through your organization. An internal data audit is the starting point for this.
Use the following questions from Recital 23 to determine applicability:
- Do you visibly offer goods or services to individuals in EU member states?
- Do you use EU languages or currencies in your offering?
Your audit should also establish the categories of data collected, how it is processed and transmitted, who has access to it, and how long it is retained.
Special categories of data
During your mapping exercise, identify whether you collect any special categories of personal data, including information revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health information, or data concerning a person’s sex life or sexual orientation. Processing such data requires a significantly higher standard of protection, explicit consent, or another narrowly defined legal exception, and, in most cases, a mandatory DPIA. Organizations handling sensitive data at scale should also assess whether appointing a DPO is required.
Maintain records of processing activities (Article 30)
The findings from your audit should feed directly into a Records of Processing Activities (ROPA) document, a mandatory requirement under Article 30 for most organizations. Your ROPA must document:
- Controllers involved: The identity of all controllers and joint controllers, clearly specifying their roles particularly important in cases of joint controllership
- Purposes of processing: Why each category of data is being collected and used
- Categories of data and data subjects: What data is held and who it relates to
- Recipients and transfers: Who data is shared with, including international transfers and applicable safeguards
- Retention periods: How long each category of data is held before deletion
- Security measures: Technical and organisational measures in place to protect the data
Your ROPA is a living document; it should be reviewed and updated whenever your processing activities change.
2. Transparency
“It’s the intent that matters.” GDPR is not anti-data collection; it regulates the lawful, fair, and transparent processing of personal data across its entire lifecycle from collection and storage to use and deletion. You can avoid legal complications by providing sufficient justifications for processing that include:
- You have the consent of the subject
- It is necessary to fulfill a contractual agreement with the subject or is required to fulfill a request by the subject before entering a contract.
- It is part of a legal obligation the controller is subject to
- It protects the interest of the subject or another individual
- To perform a task in public interest or if the controller exercises official authoritative duties
- If the controller or third party has legitimate interests (unless it overrides the rights of the subject)
Member states of the Union can introduce more specific regulations on some of the justifications discussed above.
If you collect data on the basis of consent, remember that consent must be:
- Freely given – you cannot force the data subject to provide consent.
- Specific – all processing activities should be clearly listed to allow the subject to agree to each
- Informed – the data subject should know your identity, your intention, and know their right to withdraw consent
- Unambiguous – avoid practices that intend to mislead the user into giving consent such as pre-ticked checkboxes or terms and conditions is small texts at the bottom of a page.
- Revoked – data subjects can withdraw their consent at any time
Lastly, you must provide complete clarity about your activities as per Article 12. This requires you to keep your privacy policy updated.
What to include in your privacy notice
Transparency obligations extend beyond just collecting data directly from individuals. When personal data is obtained from third parties, individuals must still be informed within a reasonable period unless a specific exemption applies.
Your privacy notice should clearly explain:
- Purpose of processing: Why the data is being collected and how it will be used
- Legal basis: The lawful ground under which the data is being processed
- Retention periods: How long the data will be held before deletion
- International transfers: Whether data is transferred outside the EU and what safeguards are in place
- Individual rights: What rights individuals hold over their data and how to exercise them
3. Data subject rights and DSARs
EU individuals hold several rights over their personal data that your organization must be operationally prepared to fulfill:
- Access and portability: Individuals can request a copy of their data and have it transferred to another provider.
- Correction and deletion: Inaccurate data must be corrected and erased upon valid request.
- Restriction and objection: Individuals can limit how their data is used or object to its processing, particularly for direct marketing.
- Automated decision safeguards: Individuals cannot be subject solely to automated decisions that significantly affect them without human oversight, the ability to express their views, and the right to contest the outcome.
Responding to DSARs
Requests must be fulfilled within one calendar month, with the option to extend by two months for complex cases, and the individual must be notified within the original window. Verify requester identity before responding, handle requests free of charge unless excessive, and maintain documented logs of all requests and actions taken for audit readiness.
Automated decision-making and profiling
If your organization uses AI or algorithms for decisions like credit approvals or eligibility assessments, ensure human review mechanisms, transparency in how decisions are made, and explainability are built into your systems.
4. Risk assessment
If you deploy data on the cloud or across third-party systems, it becomes vulnerable to a range of security and privacy threats. As a data controller, mitigating these risks is not optional; it is a core GDPR obligation.
Data Protection Impact Assessment (DPIA)
A Data Protection Impact Assessment (DPIA) is a structured process for identifying and minimizing privacy risks before they materialize. DPIAs are mandatory when processing is likely to result in high risk to individuals, for example, when using new technologies, processing sensitive data at scale, or conducting systematic monitoring. Even where not strictly required, conducting a DPIA is considered a security best practice and demonstrates proactive accountability.
Technical and Organisational Measures (TOMs)
GDPR requires organizations to implement appropriate TOMs to ensure a level of security proportionate to the risk. These include:
- Technical measures: End-to-end encryption, pseudonymization, access controls, and regular security testing
- Organisational measures: Staff training, internal data handling policies, incident response procedures, and clear accountability structures
Implementing TOMs is not a one-time exercise; they should be reviewed and updated regularly to reflect evolving threats and changes in your processing activities.
Data protection by design and default
If you are starting a new project or deploying a new system that involves personal data, GDPR requires you to embed privacy protections from the outset rather than as an afterthought. This means:
- Applying security measures such as pseudonymization, encryption, and data minimization from the design stage
- Limiting data collection, storage, access, and processing to only what is strictly necessary for the specified purpose
- Ensuring that, by default, only the minimum amount of personal data is processed
- Documenting and demonstrating compliance through GDPR certification, where applicable
Data retention and deletion controls
Personal data should not be stored indefinitely. Organizations must define retention periods based on legal, contractual, and business needs, and ensure data is deleted or anonymized once it is no longer required. Retention policies should:
- Specify timeframes by data category
- Cover backups and archived data, not just live systems
- Include automated deletion mechanisms where possible
Failure to manage retention properly is one of the most common and easily avoidable GDPR compliance gaps. Retention schedules should be documented and reviewed periodically to ensure they remain aligned with your current processing activities and legal obligations.
5. Vendor agreement
Malicious actors are not the only ones putting your customer data at risk. Third-party vendors and business partners who access or process personal data on your behalf represent a significant and often underestimated compliance risk. A Data Processing Agreement (DPA) is the primary tool for managing this risk. It is a legally binding contract that governs how vendors handle personal data and ensures they comply with GDPR requirements.
What a compliant DPA must cover
A compliant DPA should clearly define:
- The subject matter and duration of processing
- The nature and purpose of processing
- The types of personal data involved
- The categories of individuals affected
It should also require processors to:
- Process data only on documented instructions from the controller
- Implement appropriate Technical and Organisational Measures (TOMs) to ensure data security
- Obtain written authorization before engaging sub-processors
- Assist the controller in fulfilling data subject requests and managing breach notifications
- Return or securely delete all personal data upon termination of services
Maintaining a register of all vendor agreements and regularly reviewing them strengthens accountability and ensures no processing relationship falls outside your compliance framework.
How to Track DPAs and SCCs Operationally
Having DPAs and Standard Contractual Clauses (SCCs) in place is only half the battle; tracking and maintaining them operationally is equally critical. Organizations should:
- Maintain a DPA register: Log all active vendor agreements, including the effective date, renewal date, and scope of processing covered
- Track SCC templates used: Record which SCC version applies to each transfer relationship, particularly as templates are updated by regulators
- Review transfer mechanisms periodically: Ensure that the legal basis for each international data transfer remains valid and up to date
- Monitor regulatory updates: Stay informed of changes to SCCs, adequacy decisions, and transfer frameworks that may affect existing agreements
Building this operational layer into your vendor management process transforms GDPR compliance from a legal checkbox into a living, auditable system.
6. International data transfers
If your US company transfers EU personal data to the United States or any other third country, you must implement a lawful transfer mechanism. Transferring data without an adequate legal basis is one of the most frequently penalized GDPR violations. Accepted mechanisms include:
- EU–US Data Privacy Framework (DPF): US organizations can self-certify under the DPF to receive EU personal data lawfully
- Standard Contractual Clauses (SCCs): Contractual safeguards approved by the European Commission that can be incorporated into agreements with data importers
- Binding Corporate Rules (BCRs): For multinational organizations transferring data within a corporate group
- Transfer Impact Assessments (TIAs): Following the Schrems II ruling, organizations must assess whether the laws of the destination country particularly foreign surveillance laws may undermine the protections offered by SCCs or other mechanisms, and implement supplementary safeguards where necessary
Regularly reviewing your transfer mechanisms is essential as regulatory requirements in this area continue to evolve.
7. Appoint a representative
Non-EU organizations are required to appoint a representative within the EU if Article 3 applies to them that is, if they offer goods or services to EU residents or monitor their behavior. The representative must be established in the EU member state where the individuals whose data is being processed are located.
When is a representative required?
Not all non-EU organizations are automatically required to appoint a representative. An exemption may apply if:
- Processing is occasional rather than systematic
- It does not involve large-scale handling of sensitive data
- It is unlikely to pose significant risk to individuals
However, most organizations offering goods or services to EU residents on an ongoing basis will be required to designate a representative. Given that most US SaaS companies fall into this category, the exemption should not be assumed without careful legal assessment.
EU vs UK representative
It is important to note that EU GDPR and UK GDPR are separate frameworks with separate representative requirements:
- EU Representative: Required under EU GDPR if you process data of individuals located in EU member states
- UK Representative: If you also process data of UK residents, a separate UK-based representative may be required under UK GDPR
Organizations serving both EU and UK users cannot rely on a single representative to satisfy both obligations; each jurisdiction must be addressed independently.
Role and responsibilities
The representative acts as the point of contact for data subjects and supervisory authorities in matters relating to GDPR compliance. They must be appointed without prejudice to any legal actions that may be brought against the controller or processor directly, and should cooperate fully with the relevant supervisory authorities to ensure compliance obligations are met.
8. Breach notification
No matter how strong your security posture is, there is no way to prevent 100% of breaches. Set up the infrastructure in a way that not just prevents, but also prepares for disasters. In case an infection occurs, two parties should be notified immediately – the competent authority and data subject.
Ensure the following when notifying the supervisory authority:
- Notify within 72 hours of the breach unless there is no chance of compromising rights and freedoms of the subject.
- The notification should describe the nature of breach, number of subjects affected, and its categories.
- It should contain the contact details of the relevant Data Protection Authority (DPA), the possible consequences of the breach, and the measures taken to address and mitigate the damages.
- Document the details of the breach, its effect and actions taken to mitigate the effects.
Ensure the following while notifying the data subject
- Notify the affected individuals without delay in case of high risk of infringement of rights and freedom.
- The above is not required if the data is unintelligible to those with unauthorized access, if you take adequate measures to ensure no compromise of rights and freedom, or if it is likely to result in adverse consequences.
- Explain the breach in clear and simple terms and the corrective measures.
9. Data protection officer
If your organization processes a large amount of data and various types of data, it might be overwhelming for employees to keep up the tasks required to be GDPR compliant. You might consider appointing a Data Protection Officer (DPO) to perform these tasks. However, GDPR requires businesses to hire a DPO if:
- A public body or authority processes the data. This does not apply to courts and independent judicial authorities.
- Processing and monitoring personal data on a large scale is central to your business operations.
- Processing special data categories on a large scale is central to your business operations.
GDPR, the easy way
GDPR is not easy – but not a choice either. Bigger fishes like Facebook, Google, or Amazon can afford to pay millions in damages, but can leave smaller companies bleeding to death.
A PwC survey found that US orgs spend between $1 million to more than $10 million annually to be GDPR compliant. Thankfully, there is a cheaper and faster shortcut that will cost you a fraction of time and money. The Sprinto solution automates the entire process – from evidence collection, monitoring risks, auditing, training – everything you need to have to avoid the GDPR police coming knocking at your door for fines.
Let’s discuss your needs today.
FAQs on GDPR Compliance
GDPR compliance is defined as the process of adhering to the General Data Protection Regulation, a privacy law from the EU. It governs how organizations collect, store, and process personal data of EU residents, ensuring transparency, consent, and data protection.
There is no single, comprehensive GDPR equivalent in the US. The closest analogues are sector-specific laws like CCPA (California Consumer Privacy Act) for California residents, and federal laws like HIPAA for healthcare and GLBA for financial services.
GDPR is enforced on US companies that offer goods or services to EU residents or monitor their behavior, regardless of the company’s location. Enforcement is carried out by EU data protection authorities.
GDPR is not applicable to all US websites. It applies only to those that target EU residents or monitor their behavior. A US website that doesn’t specifically target EU customers or track EU visitors may not need to comply.
EU data protection authorities, led by the supervisory authority in the relevant EU member state, are responsible for penalizing US businesses for non-compliance with GDPR. They can impose fines and other sanctions.
GDPR does not apply to:
-> Deceased individuals’ data
-> Personal or household activities
-> Law enforcement and national security activities
-> Companies that don’t target EU residents or monitor their behavior
-> Anonymized data (if truly anonymized and not just pseudonymized)
Anwita
Anwita is a cybersecurity enthusiast and veteran blogger all rolled into one. Her love for everything cybersecurity started her journey into the world compliance. With multiple certifications on cybersecurity under her belt, she aims to simplify complex security related topics for all audiences. She loves to read nonfiction, listen to progressive rock, and watches sitcoms on the weekends.
Go beyond the surface and uncover the governance, risk, and compliance insights that actually matter.
Win digital goodies for boardroom success
Explore more
research & insights curated to help you earn a seat at the table.
