🇪🇺 EU Data Privacy Compliance

GDPR Compliance for US Companies: 10 Requirements + Enforcement Cases (2026)

The EU's General Data Protection Regulation applies to any business that handles EU residents' data — regardless of where you're headquartered. Here's what you need to know.

US Business Guide Updated March 2025 GDPR 2018–Present
Check Your GDPR Exposure

What Is GDPR, in Plain English?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, effective May 25, 2018. It gives EU residents meaningful control over their personal data — how it's collected, stored, used, and deleted.

Unlike many US privacy laws that focus on specific industries or data types, GDPR applies broadly to nearly all personal data about EU residents. And crucially: it applies extraterritorially. If your US company has EU customers, EU users, or processes EU residents' data in any way, GDPR applies to you — regardless of where your servers are located.

"Personal data belongs to the individual, not the company collecting it."

— The foundational principle of GDPR

Does GDPR Apply to Your US Business?

GDPR has broad territorial reach. Your US business must comply if any of the following apply:

EU Physical Presence

You have an office, employee, or establishment in any EU member state.

Offering Services to EU Residents

You offer goods or services to EU residents — even for free. This includes SaaS, e-commerce, apps, and websites.

Monitoring EU Behavior

You track or profile EU residents — including analytics, advertising pixels, and behavioral tracking cookies on your website.

EU Employee Data

You employ people in the EU or process personal data of EU-based employees.

⚠️

Common Situations Where US Businesses Are Caught Off Guard

Shopify, Mailchimp, and any SaaS platform serving EU customers is subject to GDPR. If you've ever had a paying customer in Germany, France, or the UK — you're covered. This includes free-tier SaaS users, newsletter subscribers, and anyone who filled out a contact form on your website.

Two Key Roles Under GDPR

Data Controller

You decide why and how data is processed

Carries primary GDPR responsibility. Determines the purpose and means of processing personal data. Most businesses collecting customer data are data controllers.

Data Processor

You process data on behalf of a controller

Carries secondary responsibility. Examples: cloud providers, email marketing platforms, CRM vendors. Must have a Data Processing Agreement with the controller.

The Complete Checklist

Top 10 GDPR Requirements

1

Lawful Basis for Processing

Every data processing activity requires a documented legal basis. GDPR recognizes six: consent, contract, legitimate interest, legal obligation, vital interests, and public task. You must identify and document the basis before you start processing — not after.

2

Privacy Policy & Transparency

A clear, plain-language privacy notice explaining what personal data you collect, why you collect it, how long you retain it, who you share it with, and how individuals can exercise their rights. GDPR requires this to be concise, easily accessible, and written in plain language — legalese doesn't satisfy the requirement.

3

Cookie Consent & Consent Management

Explicit opt-in consent is required for all non-essential cookies (analytics, advertising, tracking). Pre-ticked boxes are explicitly illegal. Users must be able to accept or decline individual cookie categories. A consent management platform (CMP) is the standard implementation.

4

Data Subject Rights Procedures

You must be able to fulfill requests to access, correct, delete, port, and restrict personal data — within 30 days. This requires internal processes, staff training, and technical capability to locate and export or delete an individual's data across all systems.

5

Data Processing Inventory (ROPA)

A Record of Processing Activities documenting all data flows in your organization: what personal data you process, the purpose, the legal basis, who has access, how long you keep it, and where it's transferred. Formally required for organizations with 250+ employees, but practically required for all organizations seeking to demonstrate compliance.

6

Data Breach Notification

Notify the relevant EU supervisory authority within 72 hours of discovering a breach that poses risk to individuals. If the breach is likely to result in high risk to individuals, you must also notify affected individuals "without undue delay." Document all breaches — even those that don't require notification.

7

Data Protection by Design and by Default

Privacy must be built into systems and processes from the start, not bolted on afterward. Collect only the minimum data necessary. Default settings must be privacy-protective. This applies when building new products, features, or data processing systems.

8

Data Processing Agreements (DPAs)

Required contracts with every vendor or service provider that processes personal data on your behalf — email providers, CRMs, cloud storage, payment processors, analytics tools. Required by GDPR Article 28. If your SaaS vendors don't offer DPAs, you cannot legally use them to process EU personal data.

9

International Data Transfers

Transferring personal data outside the EU/EEA requires a lawful transfer mechanism: an adequacy decision (the EU has deemed the destination country's laws adequate), Standard Contractual Clauses (SCCs), or Binding Corporate Rules. The US does not have a blanket adequacy decision, so most US companies rely on SCCs.

10

Data Protection Officer (DPO)

Formally required for public authorities, organizations that engage in large-scale systematic monitoring of individuals, or organizations that process special categories of data at scale. Optional — but strongly recommended — for US businesses with significant EU data processing. The DPO acts as an independent compliance expert and point of contact with regulators.

Know the Stakes

GDPR Fines and Penalties

GDPR has a two-tier fine structure. Both tiers use whichever is higher — the fixed euro amount or the percentage of global annual revenue.

Tier 1 — Less Severe Violations

€10M

or 2% of global annual revenue

Violations of controller/processor obligations, certification bodies, and monitoring bodies. Failure to maintain records, implement data protection by design, appoint a DPO.

Tier 2 — More Severe Violations

€20M

or 4% of global annual revenue

Violations of basic principles (lawfulness, fairness, transparency), data subject rights, transfers to third countries, and specific member state provisions.

Notable GDPR Enforcement Actions

Meta (Ireland DPC) Unlawful data transfers to the US
€1.2B
Amazon (Luxembourg CNPD) Non-compliant advertising system
€746M
WhatsApp (Ireland DPC) Transparency failures
€225M
Google (France CNIL) Lack of valid consent for ads
€50M

4% of global revenue means Amazon's theoretical maximum fine would approach $10 billion. Company size doesn't protect you from GDPR — it just makes the number bigger.

How ComplianceStack Helps

GDPR Compliance, Without the €300/Hour Consultant

ComplianceStack gives you the frameworks, workflows, and documentation to achieve GDPR compliance in weeks, not months.

GDPR Gap Assessment

Map your data flows against all GDPR requirements and identify exactly where you fall short — with prioritized remediation steps.

Policy & Notice Templates

AI-generated, GDPR-compliant privacy policies, cookie notices, and consent language — tailored to your specific business and data processing activities.

Data Subject Request Tracker

Workflow automation to receive, track, and fulfill DSRs within the 30-day GDPR deadline — with audit logs for every request.

Get Your GDPR Assessment

Common Questions

GDPR FAQ for US Businesses

Does GDPR apply to B2B companies in the US?

GDPR applies to any US company processing personal data of EU residents — and B2B relationships do not provide an exemption, meaning even contact lists of EU-based employees (names, work emails) fall within scope. The regulation protects individuals, not just consumers.

What is the difference between GDPR and CCPA?

GDPR is EU-wide and applies comprehensively to virtually all personal data and industries; CCPA is California-specific and only applies to businesses meeting revenue or data volume thresholds. The core operational difference: GDPR requires opt-in consent for data processing while CCPA generally allows opt-out. A robust GDPR compliance program substantially simplifies CCPA obligations — ComplianceStack's GDPR tools cover both frameworks.

Do I need a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) is formally required under GDPR when: (1) you are a public authority or body, (2) your core activities involve large-scale systematic monitoring of individuals, or (3) you process special categories of data (health, biometric, religious beliefs) at scale. For most US companies with significant EU data exposure, appointing a DPO — either as an employee or external consultant — is strongly recommended, and ComplianceStack can help identify whether your data processing activities trigger the formal requirement.

What counts as "personal data" under GDPR?

GDPR defines personal data as any information that can identify an individual directly or indirectly — this covers obvious identifiers (name, email, phone, address) and less obvious ones: IP addresses, cookie IDs, location data, device IDs, biometric data, and behavioral data that can be linked to an individual. The definition is deliberately broad: if there is a reasonable path to identify someone from the data, it is personal data under GDPR.

Can I use Google Analytics and still be GDPR compliant?

Using Google Analytics requires a compliant cookie consent management platform (CMP) and an executed Data Processing Agreement with Google — and multiple EU data protection authorities (Austria, France, Italy, Denmark) have ruled that standard Google Analytics configurations are non-compliant because data transfers to US servers lack adequate legal basis without explicit consent. The safest approach: implement a CMP, obtain explicit consent before loading analytics, and consider GDPR-compliant alternatives like Plausible or Fathom Analytics.

What is a Data Processing Agreement (DPA)?

A Data Processing Agreement (DPA) is a contract required by GDPR Article 28 between you (as data controller) and every vendor or service provider processing personal data on your behalf — email providers, CRM platforms, cloud storage, payment processors, and any other third party touching EU personal data. Running a DPA-free stack means your GDPR compliance is structurally broken, regardless of how many other measures are in place.

How do I handle a data breach under GDPR?

GDPR requires breach notification to the relevant EU supervisory authority within 72 hours of discovery — the clock starts when you become aware, not when the breach occurred. If the breach poses high risk to individuals, you must also notify affected data subjects directly without undue delay. All breaches must be documented in a breach register regardless of whether notification is required — and ComplianceStack's GDPR breach response workflow handles both the 72-hour clock and the breach register requirement.

What is the right to erasure ("right to be forgotten")?

The right to erasure (right to be forgotten) under GDPR requires organizations to delete personal data upon valid request unless an overriding exemption applies — legal obligation to retain, data needed for legal claims, or other legitimate grounds. ComplianceStack's Data Subject Request tracker automates the identification, processing, and documentation of erasure requests to meet the 30-day GDPR response requirement.

Do I need consent for every data processing activity?

GDPR provides six legal bases for data processing, and consent is just one of them — contract performance, legitimate interests, legal obligation, vital interests, and public task are also valid bases. Many B2B companies legitimately rely on legitimate interests or contract performance rather than consent, which avoids the operational burden of managing opt-in consent for every data processing activity.

What is a Record of Processing Activities (ROPA)?

A Record of Processing Activities (ROPA) is a written inventory of all data processing activities in your organization — what personal data you collect, for what purpose, on what legal basis, retention periods, who you share it with, and international transfer mechanisms. Formally required for organizations with 250+ employees, but practically required for any organization facing a GDPR investigation, as regulators frequently request ROPA during enforcement inquiries.

Related Tools from the Stack Network

LegalStackTools

GDPR-compliant privacy policies, DPAs, and data subject request templates.

BizStackHub

Business templates and generators for EU-compliant operations.

Ready to Get GDPR Compliant?

Take our free 5-minute compliance quiz to get a personalized GDPR action plan — and find out exactly what your US business needs to do.

Start Free GDPR Quiz

No credit card required. Results in 5 minutes.

GDPR by State

GDPR by Industry

GDPR Checklists

GDPR Fines & Enforcement

GDPR Compliance Guides

Assess Risk Now →
Free compliance alerts — join 13,000+ professionals ✓ You're in!