GDPR Guide for US Companies
Complete guide to GDPR compliance for US-based businesses. Understand when it applies, what's required, and how to implement compliance.
€20M
Max Fine (or 4% revenue)
72h
Breach Notification
8
Data Subject Rights
6
Lawful Bases
When Does GDPR Apply to US Companies?
GDPR has extraterritorial reach-it applies based on whose data you process, not where you're located
EU Establishment
GDPR AppliesYou have an office, subsidiary, or employees in the EU
Example: US company with a London sales office
Offering Goods/Services to EU
GDPR AppliesYou target EU residents with products or services (paid or free)
Example: E-commerce site shipping to EU, SaaS with EU pricing in Euros
Monitoring EU Behavior
GDPR AppliesYou track or profile EU residents' online behavior
Example: Analytics tracking EU website visitors, behavioral advertising
Processing EU Data for EU Controller
GDPR AppliesYou process personal data on behalf of an EU-based company
Example: US cloud provider hosting data for EU customers
Incidental EU Visitors
Likely ExemptEU residents happen to visit your US-only website
Example: Local US business with no EU targeting
When In Doubt, Comply
If you have any EU customers, users, or website visitors that you intentionally target, GDPR likely applies. The cost of compliance is far less than potential fines.
Data Subject Rights
GDPR grants EU residents specific rights over their personal data
Right to Access
Individuals can request a copy of their personal data
Implementation: Create DSAR intake process and data inventory
Right to Rectification
Individuals can request correction of inaccurate data
Implementation: Enable data updates in user accounts or via request
Right to Erasure
Individuals can request deletion of their data
Implementation: Implement data deletion workflows across all systems
Right to Data Portability
Individuals can receive their data in machine-readable format
Implementation: Enable data export in common formats (JSON, CSV)
Right to Object
Individuals can object to certain processing activities
Implementation: Implement opt-out mechanisms for marketing and profiling
Right to Restrict Processing
Individuals can limit how their data is used
Implementation: Ability to flag and restrict processing of specific records
Lawful Bases for Processing
Every processing activity must have a documented lawful basis
Consent
Individual has given clear, affirmative consent
Use when: Marketing emails, cookies, optional data collection
- Must be freely given, specific, informed, unambiguous
- Clear affirmative action (no pre-ticked boxes)
- Easy to withdraw at any time
- Keep records of consent
Contract
Processing necessary to fulfill a contract
Use when: Delivering purchased products, providing subscribed services
- Must be genuinely necessary for the contract
- Cannot use for unrelated purposes
- Document the contractual necessity
Legal Obligation
Processing required by law
Use when: Tax records, employment law requirements, regulatory compliance
- Must be a clear legal requirement
- Document the specific legal basis
- Only process what's legally required
Legitimate Interests
Processing necessary for legitimate business purposes
Use when: Fraud prevention, network security, internal analytics
- Conduct Legitimate Interests Assessment (LIA)
- Balance against individual rights
- Document the assessment
- Not available for public authorities
Two Other Lawful Bases
Vital Interests (protecting life) and Public Task (official authority) exist but rarely apply to US commercial companies.
EU-US Data Transfer Mechanisms
Transferring EU personal data to the US requires a valid transfer mechanism
EU-US Data Privacy Framework
Self-certification program for US companies
Active (since July 2023)Pros:
- Simplest for US companies
- Annual self-certification
- Well-established process
Cons:
- Subject to legal challenges
- Only for US transfers
- Requires ongoing compliance
Standard Contractual Clauses (SCCs)
EU-approved contract terms for data transfers
ActivePros:
- Works for any country
- No certification required
- Widely accepted
Cons:
- Requires supplementary measures assessment
- Complex documentation
- Transfer Impact Assessment needed
Binding Corporate Rules (BCRs)
Internal rules for multinational company transfers
ActivePros:
- Covers entire corporate group
- Once approved, simplifies transfers
Cons:
- Complex approval process (12-18 months)
- Expensive to implement
- Only for intra-group transfers
Recommended Approach
For most US companies, EU-US Data Privacy Framework certification is the simplest path. Consider also implementing SCCs as a backup in case the DPF faces legal challenges (like its predecessors Safe Harbor and Privacy Shield).
Required Documentation
GDPR requires maintaining specific documentation to demonstrate compliance
Privacy Policy
RequiredPublic-facing notice about data processing
Records of Processing Activities (ROPA)
RequiredInternal register of all processing activities
Data Processing Agreements (DPAs)
RequiredContracts with processors (vendors)
Data Protection Impact Assessments (DPIAs)
SituationalRisk assessments for high-risk processing
Required when: High-risk processing (profiling, large-scale sensitive data, systematic monitoring)
Breach Response Plan
RequiredProcedures for handling data breaches
Implementation Timeline
Typical phases for achieving GDPR compliance
Data Mapping
- Identify all EU personal data
- Document data flows and systems
- Inventory processors and transfers
- Assess current compliance state
Gap Analysis & Planning
- Compare current state to GDPR requirements
- Identify compliance gaps
- Prioritize remediation efforts
- Develop implementation roadmap
Documentation
- Draft/update privacy policy
- Create Records of Processing
- Develop DPAs for vendors
- Document lawful bases
Technical Implementation
- Implement consent management
- Build DSAR handling process
- Configure data retention/deletion
- Establish transfer mechanisms
Training & Operations
- Train staff on GDPR requirements
- Establish ongoing compliance processes
- Implement breach response procedures
- Schedule regular compliance reviews
GDPR Penalty Structure
GDPR fines are calculated as the higher of fixed amounts or percentage of global revenue
Lower Tier
Up to €10 million or 2% of global annual turnover
Applies to: Record-keeping failures, lack of DPO, inadequate security measures, failure to notify breaches
Upper Tier
Up to €20 million or 4% of global annual turnover
Applies to: Violations of data processing principles, lawful basis, consent, data subject rights, international transfers
Notable GDPR Fines
Meta (Facebook): €1.2 billion (2023) - Unlawful data transfers to US
Amazon: €746 million (2021) - Consent and transparency violations
Google: €90 million (2022) - Cookie consent violations
Common Compliance Pitfalls
Avoid these frequent mistakes US companies make with GDPR
Treating GDPR as IT-Only
GDPR compliance requires legal, operational, and technical changes. Treating it as purely a technology problem leads to incomplete compliance.
Solution: Form cross-functional team including legal, IT, marketing, HR, and operations.
Relying on Consent Alone
Over-relying on consent when other lawful bases are more appropriate. Consent must be freely given and easily withdrawn.
Solution: Assess all lawful bases for each processing activity. Use contract or legitimate interests where appropriate.
Ignoring Vendor Compliance
Assuming your vendors are GDPR compliant without verification. You're responsible for your processors' compliance.
Solution: Execute DPAs with all vendors, verify their compliance, and maintain processor inventory.
Inadequate Breach Response
Not having a tested breach response plan. GDPR requires notification within 72 hours of becoming aware.
Solution: Document breach response procedures, assign responsibilities, and conduct tabletop exercises.
Cookie Consent Theater
Implementing cookie banners that don't actually block cookies until consent, or use dark patterns to manipulate consent.
Solution: Implement proper consent management platform that blocks non-essential cookies until affirmative consent.
Incomplete Data Subject Rights
Having no process or inadequate process for handling data subject requests within the required timeframe.
Solution: Build DSAR intake process, train staff, implement technical capabilities for access/deletion/portability.
Need Help with GDPR Compliance?
Our privacy experts help US companies navigate GDPR requirements. From gap assessments to implementation, we guide you through the entire process.
Get a Free Security & Infrastructure Assessment
Understand your current security posture, identify critical risks, and get a prioritized roadmap for improvement.
What you'll receive
No commitment required. Assessment takes 48 hours. Report is yours to keep.
Assessment Preview
Areas we evaluate in your free assessment
Security Posture
A-F Rating
Infrastructure
Health Check
Access Controls
Gap Analysis
Vulnerabilities
Risk Score
Sample Report
See what you'll receive