GDPR Implications for US Companies
This article is for educational purposes only and does not constitute professional compliance advice or legal counsel. Privacy laws and regulatory requirements evolve — consult a qualified compliance professional about your specific situation.
You're running a SaaS company based in the United States, and a customer from Germany just filled out your standard agreement. Your head of sales says it's a legitimate deal. Your general counsel says you now have GDPR obligations. You might be thinking that GDPR is European law that doesn't apply to US companies, but that's exactly the misunderstanding that creates legal exposure. The General Data Protection Regulation applies to any organization processing personal data of European Union residents, regardless of where the organization is located or where its servers live. If your product is accessible to Europeans, if you have European customers, or if you collect personal information from anyone living in the EU, the law applies to you.
Understanding when GDPR applies, what it requires, and what it means for your business operations is essential. The penalties for non-compliance are severe — reaching up to four percent of global annual revenue or twenty million euros, whichever is higher. Enforcement is active, with regulatory bodies across Europe bringing investigations and levying substantial fines. This isn't a framework you can ignore or treat as a compliance theater exercise. If you're processing European personal data, GDPR compliance is a legal and financial necessity.
GDPR Applicability: When It Applies to US Companies
The first principle to understand is that GDPR's reach is territorial to the person, not the company. The law applies whenever you're processing personal data of EU residents, regardless of where your company is incorporated, where your servers are located, or where you do business. A US company with no European employees, no European office, and no European revenue can still fall under GDPR.
The law defines this through the concept of "processing personal data of data subjects in the Union." If you have a website that accepts customers from Europe, you're processing data of EU residents. If you collect an email address from someone who lives in Germany, you're processing that data. If you collect resumes from EU residents for hiring purposes, you're processing their data. The processing is the trigger, not the size of your operation or the revenue generated.
This creates operational scope for many US companies that never expected GDPR to apply to them. A small consulting firm with European clients, a software company with European users, an e-commerce platform that ships to Europe — all of these are processing EU resident data and thus fall under GDPR.
The law also introduces the concept of "data controllers" and "data processors." Understanding your role in this relationship is foundational to compliance. If you decide what personal data to collect, how to use it, and how long to keep it, you're a controller. If you process data on behalf of someone else and follow their instructions about how to use it, you're a processor. Many organizations play both roles depending on the context. Understanding which you are determines what obligations fall on you specifically.
The Foundation: Lawful Basis for Processing
GDPR requires that you have a lawful basis for processing personal data. This is different from many US privacy frameworks, which assume you can process data until someone tells you not to. GDPR reverses that logic: you cannot process data unless you have a specific legal basis for doing so.
There are six lawful bases under GDPR. The first is consent — the person explicitly agrees to your processing of their data. The second is contract — processing is necessary to fulfill an agreement with the person (like processing their payment information to complete a purchase). The third is legal obligation — you're processing data because you're required to by law. The fourth is vital interests — processing is necessary to protect someone's vital interests, which is rarely used outside healthcare and emergency response. The fifth is public task — processing is necessary to perform a task in the public interest (used primarily by government and public institutions). The sixth is legitimate interests — processing is necessary for your legitimate business interests, but only if those interests aren't outweighed by the rights and freedoms of the person whose data you're processing.
The complexity lies in the legitimate interests test. Consent is straightforward — you ask, they say yes, you process. Contract is straightforward — the processing is necessary to fulfill an agreement. But legitimate interests requires that you conduct a balancing test: is your business interest in processing this data outweighed by the person's interest in privacy? If you're processing data to improve your service, that might be legitimate. If you're processing data to sell it to third parties for behavioral advertising, that's unlikely to be legitimate unless you have explicit consent.
For most US companies serving EU customers, consent or contract will be your lawful basis. You need to identify which one applies to each type of processing you do. This isn't theoretical — GDPR enforcement actions often cite "lack of lawful basis" as a primary violation.
Consumer Rights: Stronger Than US Law
GDPR grants EU residents rights that are broader and more strongly enforced than rights under most US privacy laws. These include the right to access their personal data, the right to rectification (correction), the right to erasure (deletion), the right to restrict processing, the right to data portability, the right to object to processing, and the right to protection against automated decision-making.
The right to access is similar to rights under CCPA or GDPR's US equivalents, but the implementation timeline is stricter. You must respond within thirty days of receiving a request, without exception or negotiation. The access must be comprehensive — you must provide all personal data you hold, the purposes for processing, who you've shared it with, how long you'll keep it, and information about automated decision-making.
The right to erasure — commonly called "the right to be forgotten" — is more expansive than deletion rights under US law. You must delete personal data when the person requests it, when the data is no longer necessary for the original purpose, when they withdraw consent, or in some cases when processing is unlawful. This sounds simple until you realize the operational implications. If you're required to delete a customer's data, you must delete it from your production systems, your backups, your data warehouse, and any third-party systems you've shared it with. Many organizations discover they can't actually delete data because it's embedded in system backups or historical records.
The right to data portability requires that you provide personal data in a structured, commonly used, and machine-readable format so the person can transfer it to another service provider. This is unique to GDPR and doesn't exist in most US frameworks. It's designed to reduce lock-in to specific services.
The right to object allows people to object to processing based on legitimate interests. If you're processing their data for marketing purposes and you claim legitimate interests as your lawful basis, they can object and you must stop unless you can demonstrate a compelling interest.
Exercising these rights doesn't require that the person hire a lawyer or follow complex procedures. They can simply ask, and you're required to respond. Organizations that treat these requests as exceptions or edge cases frequently underestimate the operational burden they create.
Data Protection Impact Assessments: Planning for Risk
GDPR requires data protection impact assessments (DPIAs) for processing that's likely to result in high risk to rights and freedoms. High-risk processing includes large-scale processing of special category data (data about race, ethnicity, religion, health, sexual orientation, etc.), systematic monitoring of public spaces, or automated decision-making that significantly affects people.
A DPIA is essentially a risk analysis. You identify the processing activity, describe what data you're processing, explain why, identify the risks to privacy and freedoms, and outline safeguards to mitigate those risks. GDPR doesn't specify how to conduct a DPIA, which creates ambiguity. Some organizations conduct comprehensive assessments; others conduct minimal documentation and claim compliance. Regulators have provided guidance suggesting that a DPIA should be thorough enough to actually identify and address risk, not just create a compliance artifact.
For many US companies processing EU resident data, a DPIA might not be required. If you're processing basic contact data for straightforward business purposes with appropriate safeguards, the risk is likely not "high" in GDPR terms. But if you're processing special category data, using automated decision-making, or doing large-scale systematic processing, a DPIA is both required and substantive. Many organizations hire consultants to help with DPIAs because getting them right requires genuine risk analysis, not just paperwork generation.
The Data Transfer Problem
One of GDPR's most significant implications for US companies is the restriction on transferring personal data from the EU to the US. GDPR doesn't restrict data transfer absolutely, but it requires that the destination country provides "an adequate level of protection." The US, according to European regulators, does not.
This creates a practical problem: if you're a US company with EU customers, and you want to process their data on US servers (where your infrastructure is), you need a legal mechanism to bridge the gap between EU privacy requirements and US legal protections. The traditional mechanism is Standard Contractual Clauses (SCCs) — legal agreements that contractually commit the US recipient to EU-level privacy standards.
SCCs worked for years, but a 2020 European Court of Justice ruling (Schrems II) cast doubt on their effectiveness, arguing that US law (particularly government surveillance authorities) might undermine the contractual commitments. This created uncertainty that persists. Many US companies now add supplementary safeguards on top of SCCs — commitment to encryption, data residency in Europe (keeping data on European servers), or other measures that reduce the risk of US surveillance exposure.
The practical implications are significant. Some US companies have contractually committed to keeping EU customer data on European servers. Some have implemented end-to-end encryption so even they can't access the data. Some have spent substantial resources on legal analysis and contractual protections to make SCCs work for their business model. There's no single solution because it depends on what data you're processing, what your business needs, and what level of risk you're comfortable with.
The Enforcement Reality
GDPR enforcement has intensified significantly in recent years. The Irish Data Protection Commission, which handles complaints about many major US tech companies, has issued billions of euros in fines. France's CNIL has similarly brought aggressive enforcement actions. The pattern is clear: regulators are actively investigating companies, identifying violations, and imposing substantial penalties.
The penalties structure itself is designed to be serious. The maximum fine is up to four percent of global annual revenue. For a company with a billion dollars in annual revenue, that's forty million dollars. For a company with a hundred million dollars in revenue, that's four million dollars. These aren't theoretical numbers — companies have been fined in these ranges.
Beyond the fine, enforcement actions also require remediation. You must demonstrate that you've fixed the violation, implemented new safeguards, changed your data practices. An investigation that starts with a complaint can take years to resolve, during which regulatory scrutiny and media attention create additional reputational and business damage.
This enforcement environment means that GDPR compliance isn't optional or something you can defer until regulators knock on your door. If you're processing EU resident data, you should be approaching compliance as essential from day one.
Strategic Approach to GDPR Compliance
For US companies with EU customers or residents' data, a practical approach starts with clarity about what data you're processing, from whom, and for what purposes. This is the data mapping foundation that every privacy program requires. Once you understand your processing, you can identify your lawful basis for each type of processing and ensure you have proper documentation and consent mechanisms in place.
You'll need to update your privacy policy to be GDPR-compliant. This means explaining your lawful basis, describing people's rights, explaining data retention, and providing contact information for your data protection officer or privacy contact.
You need systems to respond to access requests and other data subject rights requests within thirty days. For many US companies, this requires building or purchasing systems they didn't have before.
You should assess whether you need a Data Protection Impact Assessment. If you're processing sensitive data or doing high-risk processing, you probably do. If you're processing basic contact information for straightforward purposes, you might not.
You need to evaluate your data transfer mechanisms. If you're storing EU resident data on US servers, you need a legal basis for that transfer (typically SCCs) and you should understand the current regulatory uncertainty around that mechanism.
Finally, you should consider appointing or designating someone (either internally or through external counsel) to own GDPR compliance. GDPR requires a Data Protection Officer in some cases, but most US companies designate someone who reports to leadership about GDPR obligations and manages compliance infrastructure.
The reality is that GDPR compliance for US companies is genuinely complex and genuinely mandatory. The penalties are severe, enforcement is active, and the legal obligations are strict. But the complexity is navigable. Thousands of US companies serve EU customers and maintain GDPR compliance. Understanding what applies to you, building systems to honor obligations, and taking it seriously is the difference between a manageable compliance program and a legal landmine.
Fully Compliance provides educational content about IT compliance and privacy regulations. This article reflects general information about GDPR as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.