Many US companies assume the General Data Protection Regulation does not apply to them. They are often wrong. The GDPR has extraterritorial reach, meaning it can apply to organizations that have no physical presence in the European Union. If your company collects personal data from individuals in the EU, whether through a website, SaaS product, mobile app, or business relationship, you may be subject to its requirements. The penalties for non-compliance are substantial: up to 20 million euros or 4% of global annual turnover, whichever is higher.

This guide provides a practical checklist for US companies that need to evaluate and achieve GDPR compliance.

When Does GDPR Apply to US Companies?

Article 3 of the GDPR defines its territorial scope. The regulation applies to your organization if either of these conditions is met:

You offer goods or services to individuals in the EU. This does not require a paid transaction. If your website targets EU visitors (for example, by offering content in EU languages, accepting euros, or referencing EU customers), you are likely in scope. Simply having a website accessible from the EU is not enough on its own, but any deliberate targeting of the EU market triggers the regulation.

You monitor the behavior of individuals in the EU. If you track EU visitors using cookies, analytics, behavioral profiling, or similar technologies, the GDPR applies to that processing activity. This catches a wide range of US companies that may not sell directly to EU customers but do collect data about EU website visitors.

If either condition applies, you need to comply with the GDPR for the personal data of EU individuals, even if your company is headquartered in Wyoming, California, or anywhere else in the United States.

The Seven Key Principles

The GDPR is built on seven principles that shape every compliance obligation. Understanding these principles is essential because supervisory authorities evaluate compliance against them.

  1. Lawfulness, fairness, and transparency. You must have a valid legal basis for processing personal data, process it in ways the data subject would reasonably expect, and be transparent about what you do with it.
  2. Purpose limitation. Data collected for one stated purpose cannot be repurposed for something incompatible without additional consent or legal basis.
  3. Data minimization. Collect only the personal data you actually need for the stated purpose. Do not collect data speculatively or maintain fields “just in case.”
  4. Accuracy. Personal data must be kept accurate and up to date. You need processes for correcting or deleting inaccurate records.
  5. Storage limitation. Do not retain personal data longer than necessary for its original purpose. Define and enforce retention periods.
  6. Integrity and confidentiality. Protect personal data against unauthorized access, accidental loss, destruction, or damage using appropriate technical and organizational measures.
  7. Accountability. You must be able to demonstrate compliance with all of the above principles. Documentation is not optional.

Data Subject Rights

The GDPR grants individuals specific rights over their personal data. US companies must implement processes to handle these requests within mandated timeframes, typically one month from receipt.

  • Right of access. Individuals can request confirmation of whether you process their data and obtain a copy of it.
  • Right to rectification. Individuals can request correction of inaccurate personal data.
  • Right to erasure (right to be forgotten). Individuals can request deletion of their data when it is no longer necessary, when consent is withdrawn, or when processing is unlawful.
  • Right to restriction of processing. Individuals can request that you limit how their data is used while disputes are resolved.
  • Right to data portability. Individuals can request their data in a structured, commonly used, machine-readable format and have it transmitted to another controller.
  • Right to object. Individuals can object to processing based on legitimate interests or for direct marketing purposes.
  • Rights related to automated decision-making. Individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

For each of these rights, you need a defined process, a responsible team or individual, and the technical capability to fulfill requests across all systems where personal data is stored.

GDPR Enforcement and Penalties

GDPR violations can result in fines up to 4% of annual global turnover or EUR 20 million, whichever is higher. Since enforcement began in 2018, regulators have issued billions in fines — with Meta, Amazon, and TikTok among the largest recipients. For US companies, the extraterritorial reach means EU data protection authorities can and do pursue enforcement actions against non-EU organizations.

Data Protection Impact Assessments

A Data Protection Impact Assessment (DPIA) is required when processing is likely to result in a high risk to individuals. Common triggers include large-scale processing of sensitive data, systematic monitoring of public areas, and automated decision-making with legal effects.

A DPIA must describe the processing activity, assess its necessity and proportionality, evaluate risks to individuals, and identify measures to mitigate those risks. Even when not strictly required, DPIAs are a useful discipline for evaluating new projects or systems that handle personal data.

Cross-Border Data Transfers

Transferring personal data from the EU to the US requires a valid transfer mechanism. The EU-US Data Privacy Framework provides one path for companies that self-certify, but it is important to evaluate whether it meets your specific situation. Other mechanisms include:

  • Standard Contractual Clauses (SCCs). Pre-approved contract terms issued by the European Commission that impose GDPR-equivalent obligations on the data importer. SCCs are the most widely used transfer mechanism for US companies.
  • Adequacy decisions. The European Commission can determine that a third country provides adequate data protection. The EU-US Data Privacy Framework functions as a partial adequacy decision for certified organizations.
  • Binding Corporate Rules (BCRs). Approved internal policies for multinational groups that govern cross-border transfers within the corporate family.

Whichever mechanism you use, you must conduct a Transfer Impact Assessment to evaluate whether the legal framework of the destination country (in this case, the US) provides adequate protection in practice, and implement supplementary measures if needed.

Practical Compliance Checklist

Use this checklist to evaluate and structure your GDPR compliance program.

Governance and Accountability

  • Appoint a Data Protection Officer if required (mandatory for public authorities and organizations conducting large-scale systematic monitoring or processing of sensitive data)
  • Designate an EU representative if you have no EU establishment but process EU personal data
  • Maintain a Record of Processing Activities documenting what data you collect, why, how it is processed, and who it is shared with
  • Implement a data protection policy and train employees on GDPR obligations
  • Identify and document the legal basis for each processing activity (consent, contract, legal obligation, vital interests, public task, or legitimate interests)
  • Where relying on consent, ensure it is freely given, specific, informed, and unambiguous with clear opt-in mechanisms
  • Implement mechanisms to withdraw consent as easily as it was given

Technical and Organizational Measures

  • Implement encryption for personal data in transit and at rest
  • Enforce access controls so that only authorized personnel can access personal data
  • Maintain logging and monitoring of access to personal data
  • Implement data backup and disaster recovery procedures
  • Conduct regular security testing and vulnerability assessments

Data Subject Rights

  • Build processes and technical capabilities to respond to access, rectification, erasure, portability, and objection requests within one month
  • Train customer-facing staff to recognize and route data subject requests
  • Maintain records of all data subject requests and responses

Breach Notification

  • Implement incident detection capabilities to identify personal data breaches
  • Establish a process to notify the relevant supervisory authority within 72 hours of becoming aware of a breach
  • Establish a process to notify affected individuals without undue delay when the breach poses a high risk

Third Parties and Transfers

  • Audit all third-party processors that handle EU personal data
  • Execute Data Processing Agreements with all processors
  • Implement a valid transfer mechanism for any EU personal data transferred to the US or other non-adequate countries
  • Conduct Transfer Impact Assessments for cross-border transfers

For a comprehensive approach to vendor risk, see our third-party risk management guide.

Managing GDPR Alongside Other Frameworks

Most US companies subject to the GDPR are also managing compliance with other frameworks. You may be pursuing ISO 27001 certification for your information security management system, or maintaining SOC 2 reports for customer assurance. The GDPR’s technical and organizational measures overlap significantly with these frameworks, particularly in areas like access control, encryption, incident response, and risk assessment.

The challenge is avoiding duplicated effort. If you maintain separate compliance programs for each framework, you end up documenting the same controls multiple times, tracking the same evidence in different systems, and conducting overlapping assessments.

US healthcare companies processing EU patient data must comply with both GDPR and the HIPAA Security Rule.

SCF Connect addresses this directly. By mapping GDPR articles and requirements to the Secure Controls Framework’s unified control set, the platform shows you which controls satisfy GDPR requirements and which of those same controls also satisfy ISO 27001, SOC 2, HIPAA, or any other applicable framework. You implement and document a control once, and SCF Connect tracks its compliance status across every framework that references it.

This unified approach is especially valuable for US companies that are encountering GDPR for the first time. Rather than building a standalone GDPR compliance program from scratch, you can integrate GDPR requirements into your existing security and compliance infrastructure and identify exactly where the gaps are.

Understanding what GRC means in practice and how a unified control framework supports it is the first step toward making GDPR compliance sustainable rather than a one-time scramble.

Start your free trial to see how SCF Connect maps GDPR to actionable controls alongside your other compliance obligations.

Frequently Asked Questions

Does GDPR apply to US companies?

Yes, if your company offers goods or services to individuals in the EU, or monitors the behavior of individuals in the EU (such as through website tracking or analytics), GDPR applies regardless of where your company is based. The key factor is not your location but the location of the data subjects whose data you process.

What are the GDPR data subject rights?

GDPR grants eight data subject rights: the right to be informed, right of access, right to rectification, right to erasure (“right to be forgotten”), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling.

What is the maximum GDPR fine?

The maximum fine for the most serious GDPR violations is EUR 20 million or 4% of annual global turnover, whichever is greater. Lower-tier violations can result in fines up to EUR 10 million or 2% of global turnover.

How is GDPR different from CCPA?

GDPR applies to any organization processing EU residents’ data and uses an opt-in consent model. CCPA applies to for-profit businesses meeting specific California thresholds and uses an opt-out model. GDPR is generally more comprehensive — organizations compliant with GDPR typically meet most CCPA requirements, but not vice versa. Both can be managed through a common control framework.

Related resources: