GDPR for US Companies: A Practical Guide to Compliance

Many US companies assume the General Data Protection Regulation (GDPR) only affects organizations based in the European Union (EU). It does not. GDPR applies when a company offers goods or services to individuals in the EU or monitors their behavior in the EU, including through analytics or tracking technologies. US companies that overlook this obligation risk non-compliance, significant fines, and reputational damage that can disrupt expansion plans or existing customer relationships.

This guide explains GDPR for US companies, when it applies, what the regulation requires, and how to operationalize compliance in a way that supports growth. You’ll find a clear checklist, practical examples, and an overview of how automation strengthens privacy programs and reduces manual effort.

Does GDPR Apply to US Companies?

Yes. GDPR applies to many US companies, even those without a physical presence in any EU member state. Its scope depends on where individuals are located when their data is processed, not where the company is headquartered or incorporated.

• Has an establishment in the EU, such as an office, subsidiary, or employee conducting business activities in an EU country, even if data processing happens elsewhere
• Offers goods or services to EU residents, whether paid or free
• Processes personal data of individuals located in the EU, including monitoring behavior through cookies, analytics tools, or tracking technologies

That last category is where most US companies become subject to GDPR requirements. If your site receives traffic from the EU and your systems collect IP addresses, device information, or behavioral data from those visitors, GDPR may apply to your organization.

Location, Not Citizenship

 GDPR protects people and their activities within the European Union, and it’s not limited to EU citizens.

If a US citizen uses your app while visiting Spain, that individual is considered a data subject under GDPR. In contrast, an EU citizen living in the United States is not covered by GDPR for data collected while they are stateside.

This location-based model shifts the focus to processing activities, not identity.

Enforcement Can Reach US Businesses

GDPR is enforced by data protection authorities (DPAs) in each member state. These regulators have pursued actions against US companies that failed to meet GDPR requirements. For example:

• A €405 million penalty issued to Meta for mishandling children’s data
• A €30.5 million penalty issued to Clearview AI for unlawful biometric processing and failure to honor data subject rights
• A fine against X (Twitter) for delayed data breach notification

Penalties can reach €20 million or 4% of global annual revenue, whichever is higher. Organizations that are sanctioned may also face restrictions on data transfers, public reprimands, and limits on EU market access.

GDPR Compliance Checklist for US Companies

The following checklist outlines what US companies must do to build and maintain GDPR compliance. While these steps are specific to GDPR, many of them also strengthen broader privacy and security programs by improving data visibility, accountability, and risk management.

1. Determine Applicability

Start by identifying whether your organization acts as a data controller, a data processor, or both.

• A data controller decides why personal data is collected and how it will be used. For example, a SaaS company determines how it collects customer account data or marketing leads.
• A data processor handles personal data on behalf of a controller. For example, a SaaS platform processes customer data based on instructions from its customers.

Many US SaaS companies operate in both roles at the same time. A company may act as a processor for customer data while serving as a controller for employee records, billing information, or website analytics. Defining these roles clearly determines which GDPR obligations apply and informs contracts, policies, and workflows.

2. Map and Inventory Your Data

Create an inventory of personal data associated with individuals located in the EU. This inventory should answer basic questions such as:

• What personal data you collect
• Where that data comes from, such as product usage, forms, or support systems
• Why the data is processed
• Where the data is stored
• Who has access to it
• How long it is retained

Most organizations pull this information from existing systems, including databases, SaaS tools, cloud infrastructure, HR platforms, and customer support systems. Best practice is to maintain this inventory in a centralized system that can be updated as systems or processing activities change.

A clear data inventory supports GDPR requirements related to data subject rights, data retention, and security controls for high-risk processing.

3. Establish Legal Bases and Update Policies

Under GDPR, each instance of personal data processing must have a lawful basis. This means every reason you process personal data must be justified and documented.

The lawful bases include:

• Consent: The individual has clearly agreed to the processing for a specific purpose.
• Contract performance: Processing is necessary to deliver a product or service requested by the individual.
• Legal obligation: Processing is required to meet a legal requirement.
• Vital interests: Processing is necessary to protect someone’s life.
• Public interest: Processing supports an official task carried out in the public interest.
• Legitimate interest: Processing supports a legitimate business purpose that does not override individual rights.

In practice, most B2B companies rely on contract performance or legitimate interest rather than consent. Each lawful basis should be documented within your records of processing and reflected accurately in your privacy policy and internal documentation.

4. Appoint Required Roles

Some organizations must appoint a formal Data Protection Officer (DPO). This requirement applies when processing involves:

• Large-scale handling of sensitive data
• Regular and systematic monitoring of individuals
• Processing conducted by a public authority

GDPR does not define a strict numeric threshold for “large scale.” Regulators assess factors such as the volume of data, number of individuals affected, duration of processing, and geographic scope.

US companies that process EU data at scale may also need to appoint an EU representative. This individual or entity acts as a local contact point for supervisory authorities. Even when not legally required, assigning clear ownership for GDPR responsibilities improves accountability and coordination.

5. Implement Consent and Data Subject Rights Workflows

GDPR grants individuals certain rights over their personal data, including the right to access, correct, delete, restrict, or transfer their data, as well as the right to object to certain processing activities.

These rights mean organizations must support clear processes for receiving, verifying, and fulfilling requests within 30 days. This applies to employees, customers, and any other data subjects interacting with your services.

If you rely on consent as a lawful basis, consent must be freely given, specific, informed, and unambiguous. In practice, this means:

• Users actively opt in rather than being automatically enrolled
• Consent requests clearly explain how data will be used
• Individuals can withdraw consent as easily as they gave it
• Records show when and how consent was obtained

Together, these practices create a defensible process for managing consent and rights requests while reducing compliance risk.

6. Enforce Security and Privacy Safeguards

GDPR requires companies to put in place appropriate technical and organizational measures to protect personal data. Common safeguards include:

• Access controls and role-based permissions
• Encryption of data at rest and in transit
• Multi-factor authentication
• Continuous monitoring and logging
• Asset inventories and vulnerability management

These measures help limit the impact of a data breach and support broader security obligations across other frameworks.

7. Review Vendors and Cross-Border Data Transfers

Many US companies rely on third parties to support core business functions such as hosting infrastructure, analytics, customer support, marketing, or payroll. When those vendors process EU personal data on your behalf, GDPR treats them as data processors, and your organization remains accountable for how that data is handled.

In practice, this means companies must first identify which vendors have access to EU personal data and understand how that data flows through their systems. This includes direct vendors as well as any subprocessors those vendors rely on.

To meet GDPR requirements, organizations should:

• Maintain an inventory of vendors that process EU personal data.
• Execute Data Processing Agreements (DPAs) that clearly define each party’s responsibilities, security obligations, and breach notification requirements.
• Verify that vendors implement appropriate technical and organizational security measures.
• Review and approve subprocessor usage, including how and where data is further processed.

Vendor oversight is not a one-time exercise. GDPR expects organizations to reassess vendor risk periodically and update agreements as services, data types, or processing activities change.

Cross-Border Data Transfers in Practice

Cross-border data transfers occur whenever personal data is accessed, stored, or processed outside the European Union. For US companies, this often includes scenarios, such as:

• EU customer data being hosted in US-based cloud infrastructure
• Support teams outside the EU accessing EU user accounts
• Vendors or subprocessors operating from non-EU locations

GDPR requires additional safeguards to ensure EU data remains protected after it leaves the EU. Common mechanisms include certification under the EU-US Data Privacy Framework or the use of Standard Contractual Clauses (SCCs) in agreements with EU data exporters.

Organizations must document which transfer mechanism applies to each data flow and ensure vendors adhere to those safeguards. This documentation is often reviewed during audits, customer due diligence, or regulator inquiries.

By combining vendor oversight with clearly documented transfer mechanisms, companies reduce legal risk and demonstrate that EU personal data remains protected throughout the supply chain.

8. Prepare and Test Breach Response Procedures

GDPR distinguishes between two notification scenarios.

When a breach poses a risk to individuals, organizations must notify supervisory authorities within 72 hours. When a breach creates a high risk to affected individuals, organizations must also notify those individuals directly.

An incident response plan should define how breaches are detected, assessed, escalated, documented, and communicated. Testing typically involves tabletop exercises or simulated incidents conducted at least annually or after significant system changes.

9. Conduct Ongoing Assessments and Staff Training

Regular assessments help teams catch gaps introduced by new features, integrations, or business changes and improve coordination across engineering, security, and legal teams.

Organizations should periodically:

• Review processing activities
• Refresh employee training
• Update documentation
• Conduct internal audits

When new systems or features introduce high risk, teams may need to conduct or update Data Protection Impact Assessments (DPIAs) to evaluate risks and mitigation measures.

10. Document and Demonstrate Compliance

Maintaining documentation is essential because GDPR requires organizations to demonstrate compliance upon request.

Key documentation includes:

• Records of Processing Activities (RoPA)
• Data retention schedules
• DPAs and transfer agreements
• DPIA records
• Approved policies and training logs
• Security control evidence

Best practice is to store this documentation centrally, keep it current, and ensure it is accessible to compliance and legal teams. Strong documentation supports regulator inquiries, customer reviews, and internal governance.

How Drata Helps US Organizations Comply with GDPR

​​GDPR requires continuous oversight, structured policies, vendor documentation, and reliable evidence. Manual processes make this difficult to maintain.

Drata’s Trust Management Platform helps organizations streamline GDPR requirements by providing:

Cross-Framework Mapping: GDPR overlaps with SOC 2, ISO 27001, HIPAA, and other data privacy laws. Drata shows where existing controls meet GDPR obligations, reducing duplication.

• Automated Evidence Collection: Platform integrations collect and organize evidence across your environment, including cloud infrastructure, identity systems, and business applications. This reduces manual effort, keeps records current, and supports RoPA documentation, vendor reviews, and ongoing policy monitoring.
• Continuous Monitoring: Automated alerts highlight control failures and reduce non-compliance risk.
• Vendor Risk Management: Store, review, and track vendor documentation—including DPAs and SCCs—in a centralized location.
• Trust Center: Share your compliance posture with customers and partners to accelerate sales cycles and support data protection law expectations.

These capabilities give US companies a clearer, more reliable way to manage GDPR requirements at scale. Book a demo of Drata’s Trust Management Platform to see how automation simplifies privacy operations and supports ongoing compliance.

FAQs

Answers to some of the most frequently asked questions about GDPR for US companies.

Does GDPR apply if my company does not target EU customers?

Yes. GDPR may apply if you collect data from EU residents, even through analytics or cookies.

How is GDPR different from US laws like CCPA?

GDPR is broader than CCPA. It applies based on individual location, requires a lawful basis for all processing, grants stronger rights, and enforces stricter deadlines for breach reporting.

Do I need a Data Protection Officer?

GDPR requires a Data Protection Officer when an organization conducts large-scale processing of sensitive data, regular and systematic monitoring of individuals, or operates as a public authority. Even when not required, many companies assign an internal owner to manage GDPR responsibilities and coordinate privacy workflows.

How can I transfer personal data from the EU to the US?

You may rely on the EU-US Data Privacy Framework, SCCs, or other approved mechanisms. Legal review is recommended.

What happens if my company is not GDPR compliant?

Consequences include GDPR fines, restrictions on processing, and reputational harm. Penalties can reach €20 million or 4% of global revenue.