The EU's General Data Protection Regulation applies to any business that handles EU residents' data — regardless of where you're headquartered. Here's what you need to know.
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, effective May 25, 2018. It gives EU residents meaningful control over their personal data — how it's collected, stored, used, and deleted.
Unlike many US privacy laws that focus on specific industries or data types, GDPR applies broadly to nearly all personal data about EU residents. And crucially: it applies extraterritorially. If your US company has EU customers, EU users, or processes EU residents' data in any way, GDPR applies to you — regardless of where your servers are located.
"Personal data belongs to the individual, not the company collecting it."
— The foundational principle of GDPR
GDPR has broad territorial reach. Your US business must comply if any of the following apply:
You have an office, employee, or establishment in any EU member state.
You offer goods or services to EU residents — even for free. This includes SaaS, e-commerce, apps, and websites.
You track or profile EU residents — including analytics, advertising pixels, and behavioral tracking cookies on your website.
You employ people in the EU or process personal data of EU-based employees.
Common Situations Where US Businesses Are Caught Off Guard
Shopify, Mailchimp, and any SaaS platform serving EU customers is subject to GDPR. If you've ever had a paying customer in Germany, France, or the UK — you're covered. This includes free-tier SaaS users, newsletter subscribers, and anyone who filled out a contact form on your website.
Data Controller
You decide why and how data is processed
Carries primary GDPR responsibility. Determines the purpose and means of processing personal data. Most businesses collecting customer data are data controllers.
Data Processor
You process data on behalf of a controller
Carries secondary responsibility. Examples: cloud providers, email marketing platforms, CRM vendors. Must have a Data Processing Agreement with the controller.
The Complete Checklist
Every data processing activity requires a documented legal basis. GDPR recognizes six: consent, contract, legitimate interest, legal obligation, vital interests, and public task. You must identify and document the basis before you start processing — not after.
A clear, plain-language privacy notice explaining what personal data you collect, why you collect it, how long you retain it, who you share it with, and how individuals can exercise their rights. GDPR requires this to be concise, easily accessible, and written in plain language — legalese doesn't satisfy the requirement.
Explicit opt-in consent is required for all non-essential cookies (analytics, advertising, tracking). Pre-ticked boxes are explicitly illegal. Users must be able to accept or decline individual cookie categories. A consent management platform (CMP) is the standard implementation.
You must be able to fulfill requests to access, correct, delete, port, and restrict personal data — within 30 days. This requires internal processes, staff training, and technical capability to locate and export or delete an individual's data across all systems.
A Record of Processing Activities documenting all data flows in your organization: what personal data you process, the purpose, the legal basis, who has access, how long you keep it, and where it's transferred. Formally required for organizations with 250+ employees, but practically required for all organizations seeking to demonstrate compliance.
Notify the relevant EU supervisory authority within 72 hours of discovering a breach that poses risk to individuals. If the breach is likely to result in high risk to individuals, you must also notify affected individuals "without undue delay." Document all breaches — even those that don't require notification.
Privacy must be built into systems and processes from the start, not bolted on afterward. Collect only the minimum data necessary. Default settings must be privacy-protective. This applies when building new products, features, or data processing systems.
Required contracts with every vendor or service provider that processes personal data on your behalf — email providers, CRMs, cloud storage, payment processors, analytics tools. Required by GDPR Article 28. If your SaaS vendors don't offer DPAs, you cannot legally use them to process EU personal data.
Transferring personal data outside the EU/EEA requires a lawful transfer mechanism: an adequacy decision (the EU has deemed the destination country's laws adequate), Standard Contractual Clauses (SCCs), or Binding Corporate Rules. The US does not have a blanket adequacy decision, so most US companies rely on SCCs.
Formally required for public authorities, organizations that engage in large-scale systematic monitoring of individuals, or organizations that process special categories of data at scale. Optional — but strongly recommended — for US businesses with significant EU data processing. The DPO acts as an independent compliance expert and point of contact with regulators.
Know the Stakes
GDPR has a two-tier fine structure. Both tiers use whichever is higher — the fixed euro amount or the percentage of global annual revenue.
Tier 1 — Less Severe Violations
€10M
or 2% of global annual revenue
Violations of controller/processor obligations, certification bodies, and monitoring bodies. Failure to maintain records, implement data protection by design, appoint a DPO.
Tier 2 — More Severe Violations
€20M
or 4% of global annual revenue
Violations of basic principles (lawfulness, fairness, transparency), data subject rights, transfers to third countries, and specific member state provisions.
Notable GDPR Enforcement Actions
4% of global revenue means Amazon's theoretical maximum fine would approach $10 billion. Company size doesn't protect you from GDPR — it just makes the number bigger.
How ComplianceStack Helps
ComplianceStack gives you the frameworks, workflows, and documentation to achieve GDPR compliance in weeks, not months.
Map your data flows against all GDPR requirements and identify exactly where you fall short — with prioritized remediation steps.
AI-generated, GDPR-compliant privacy policies, cookie notices, and consent language — tailored to your specific business and data processing activities.
Workflow automation to receive, track, and fulfill DSRs within the 30-day GDPR deadline — with audit logs for every request.
Common Questions
Yes, if you process personal data of EU residents — including business contacts (names, work emails) of EU-based employees. B2B does not exempt you from GDPR. The regulation protects individuals, not just consumers. If you store a contact list of EU-based salespeople, you're processing personal data under GDPR.
GDPR is EU-wide and comprehensive, covering virtually all personal data and all industries. CCPA is California-specific and primarily covers businesses meeting revenue or data volume thresholds. Both grant consumers rights over their data. GDPR requires opt-in consent for data processing; CCPA generally allows opt-out. A solid GDPR compliance program typically makes CCPA compliance substantially easier.
A DPO is formally required if: (1) you are a public authority or body, (2) your core activities require large-scale, systematic monitoring of individuals (e.g., behavioral advertising, location tracking), or (3) your core activities involve large-scale processing of special categories of data (health, biometric, religious beliefs, etc.). Optional but strongly recommended for most US businesses with significant EU data. A DPO can be an employee or external consultant.
Any information that can identify a person directly or indirectly. This includes obvious data (name, email, phone, address) but also less obvious identifiers: IP addresses, cookie IDs, location data, device IDs, biometric data, and behavioral data that can be linked to an individual. The definition is deliberately broad — if there's a reasonable way to identify someone from the data, it's personal data under GDPR.
It requires proper cookie consent management and an executed Data Processing Agreement with Google. Multiple EU regulators (Austria, France, Italy, Denmark) have ruled that standard Google Analytics configurations are non-compliant without explicit consent because data is transferred to US servers. The safest approach: implement a consent management platform (CMP), obtain explicit consent before loading analytics, and consider GDPR-friendly alternatives like Plausible or Fathom Analytics.
A contract between you (as data controller) and any vendor or service provider (as data processor) who handles personal data on your behalf. Required by GDPR Article 28. The DPA must specify the subject matter, duration, nature, and purpose of the processing. Every vendor in your stack who touches EU personal data — your email marketing tool, CRM, cloud hosting, payment processor — needs a signed DPA with you.
You have 72 hours to notify the relevant EU supervisory authority (the data protection authority in the country where you're established, or where affected individuals are located). If the breach is likely to result in high risk to individuals, you must also notify those individuals without undue delay. Document all breaches in a breach register — even if you determine notification is not required. The 72-hour clock starts when you become aware, not when the breach occurred.
EU residents can request deletion of their personal data when it's no longer necessary for the purpose it was collected, they withdraw consent, they object to processing, or it was unlawfully processed. You must comply within 30 days unless you have overriding grounds: a legal obligation to retain the data, the data is needed for legal claims, or another legitimate overriding basis. This applies across all systems — databases, backups, analytics, third-party processors.
No. Consent is just one of six valid legal bases under GDPR. Processing is also lawful for: performance of a contract with the individual, compliance with a legal obligation, protection of vital interests, performance of a public task, and legitimate interests of the controller. Many B2B companies legitimately rely on legitimate interests or contract performance rather than consent, which avoids the operational burden of managing consent for every interaction.
A written inventory of all data processing activities in your organization. Must include: what personal data you collect, for what purpose, on what legal basis, retention periods, who you share it with, and where it's transferred (including international transfers). Formally required for organizations with 250 or more employees, but practically required for any organization wanting to demonstrate GDPR compliance. Regulators frequently request ROPA during investigations.
Related Tools from the Stack Network
Take our free 5-minute compliance quiz to get a personalized GDPR action plan — and find out exactly what your US business needs to do.
Start Free GDPR QuizNo credit card required. Results in 5 minutes.