GDPR Implications for US Companies

Reviewed by Danielle Vargas, CIPP/US, CIPP/E, CIPM

GDPR applies to any US company processing personal data of EU residents — regardless of where you're located, incorporated, or host servers. Fines reach 4% of global annual revenue or 20 million euros, whichever is higher. Enforcement is active and intensifying, with billions in fines already issued. You need a lawful basis for every processing activity, systems to handle data subject rights within 30 days, and a legal mechanism for EU-to-US data transfers.

You're running a SaaS company based in the United States, and a customer from Germany just filled out your standard agreement. Your head of sales says it's a legitimate deal. Your general counsel says you now have GDPR obligations. You might be thinking that GDPR is European law that doesn't apply to US companies, but that's exactly the misunderstanding that creates legal exposure. The General Data Protection Regulation applies to any organization processing personal data of European Union residents, regardless of where the organization is located or where its servers live. If your product is accessible to Europeans, if you have European customers, or if you collect personal information from anyone living in the EU, the law applies to you.

The penalties for non-compliance reach up to four percent of global annual revenue or twenty million euros, whichever is higher. Enforcement is active, with regulatory bodies across Europe bringing investigations and levying substantial fines. If you're processing European personal data, GDPR compliance is a legal and financial necessity.

GDPR follows the person, not the company — any US company with EU users is in scope

The first principle is that GDPR's reach is territorial to the person, not the company. The law applies whenever you're processing personal data of EU residents, regardless of where your company is incorporated, where your servers are located, or where you do business. A US company with no European employees, no European office, and no European revenue can still fall under GDPR if it processes data from EU residents.

If you have a website that accepts customers from Europe, you're processing data of EU residents. If you collect an email address from someone in Germany, you're processing that data. If you collect resumes from EU residents for hiring, you're processing their data. The processing is the trigger, not the size of your operation or the revenue generated. This creates operational scope for many US companies that never expected GDPR to apply — a small consulting firm with European clients, a software company with European users, an e-commerce platform that ships to Europe.

The law also introduces the concept of "data controllers" and "data processors." If you decide what personal data to collect, how to use it, and how long to keep it, you're a controller. If you process data on behalf of someone else and follow their instructions, you're a processor. Many organizations play both roles depending on the context. Understanding which you are determines what obligations fall on you specifically.

You must establish a lawful basis before processing any EU personal data

GDPR requires a lawful basis for processing personal data. This is fundamentally different from most US privacy frameworks, which assume you can process data until someone tells you not to. GDPR reverses that logic: you cannot process data unless you have a specific legal basis.

There are six lawful bases. Consent — the person explicitly agrees. Contract — processing is necessary to fulfill an agreement. Legal obligation — you're required by law. Vital interests — protecting someone's life, rarely used outside healthcare. Public task — performing a task in the public interest, used primarily by government. Legitimate interests — processing is necessary for your legitimate business interests, but only if those interests aren't outweighed by the person's rights and freedoms.

The complexity lies in the legitimate interests test. Consent and contract are straightforward. But legitimate interests requires a balancing test: is your business interest in processing this data outweighed by the person's interest in privacy? Processing data to improve your service may qualify. Processing data to sell to third parties for behavioral advertising is unlikely to qualify without explicit consent. For most US companies serving EU customers, consent or contract will be the lawful basis. You need to identify which applies to each type of processing you do. GDPR enforcement actions routinely cite "lack of lawful basis" as a primary violation.

GDPR consumer rights are broader, stricter, and faster than US equivalents

GDPR grants EU residents rights that are broader and more strongly enforced than rights under most US privacy laws: the right to access their personal data, the right to rectification (correction), the right to erasure (deletion), the right to restrict processing, the right to data portability, the right to object to processing, and the right to protection against automated decision-making.

The right to access requires response within thirty days — no exception, no negotiation. The access must be comprehensive: all personal data you hold, the purposes for processing, who you've shared it with, retention periods, and information about automated decision-making.

The right to erasure — "the right to be forgotten" — is more expansive than deletion rights under US law. You must delete personal data from production systems, backups, data warehouses, and any third-party systems you've shared it with. Many organizations discover they cannot actually delete data because it's embedded in system backups or historical records. The Ponemon Institute's 2023 Cost of a Data Breach Report found that organizations with mature data lifecycle management practices experienced breach costs $360,000 lower than those without — underscoring that the operational discipline GDPR requires also reduces financial exposure.

The right to data portability requires providing personal data in a structured, machine-readable format so the person can transfer it to another service. This is unique to GDPR. The right to object allows people to challenge processing based on legitimate interests — if you claim legitimate interests for marketing, they can object and you must stop unless you demonstrate a compelling interest that overrides theirs.

Data protection impact assessments are required for high-risk processing

GDPR requires data protection impact assessments (DPIAs) for processing likely to result in high risk to rights and freedoms. High-risk processing includes large-scale processing of special category data (race, ethnicity, religion, health, sexual orientation), systematic monitoring of public spaces, or automated decision-making that significantly affects people.

A DPIA is a risk analysis: identify the processing activity, describe what data you're processing, explain why, identify the risks, and outline safeguards to mitigate those risks. For many US companies processing EU resident data, a DPIA may not be required if you're processing basic contact data for straightforward business purposes with appropriate safeguards. But if you're processing special category data, using automated decision-making, or doing large-scale systematic processing, a DPIA is both required and substantive. Getting it right requires genuine risk analysis, not paperwork generation.

EU-to-US data transfers remain legally uncertain — plan your mechanism now

One of GDPR's most significant implications for US companies is the restriction on transferring personal data from the EU to the US. GDPR requires that the destination country provide "an adequate level of protection." The US, according to European regulators, does not meet that standard unequivocally.

If you're a US company processing EU customer data on US servers, you need a legal mechanism to bridge the gap. The traditional mechanism is Standard Contractual Clauses (SCCs) — legal agreements committing the US recipient to EU-level privacy standards. A 2020 European Court of Justice ruling (Schrems II) cast doubt on SCCs' effectiveness, arguing that US surveillance law may undermine contractual commitments. This created uncertainty that persists. Many US companies now add supplementary safeguards on top of SCCs — encryption commitments, data residency in Europe, or other measures reducing US surveillance exposure.

The practical implications are significant. Some US companies contractually keep EU customer data on European servers. Some implement end-to-end encryption. Some spend substantial resources on legal analysis to make SCCs work. There's no single solution — it depends on what data you're processing, what your business needs, and your risk tolerance.

Enforcement is aggressive — fines in the billions and investigations lasting years

GDPR enforcement has intensified significantly. The Irish Data Protection Commission, which handles complaints about many major US tech companies, has issued billions of euros in fines. France's CNIL has brought similarly aggressive enforcement actions. The 2024 Verizon DBIR found that 15% of breaches involved a third party, up 68% from the prior year — and GDPR holds controllers responsible for processor failures, making third-party risk management a critical enforcement focus.

The maximum fine reaches four percent of global annual revenue. For a billion-dollar company, that's forty million dollars. For a hundred-million-dollar company, that's four million. These are not theoretical — companies have been fined in these ranges. Beyond the fine, enforcement actions require remediation: fixing the violation, implementing new safeguards, changing data practices. Investigations that start with a complaint can take years, during which regulatory scrutiny and media attention create additional reputational and business damage.

Start with data mapping, identify lawful bases, and build rights-response systems

For US companies with EU customers, a practical approach starts with clarity about what data you're processing, from whom, and for what purposes. This data mapping foundation is the prerequisite for every privacy program. Once you understand your processing, identify your lawful basis for each type and ensure you have proper documentation and consent mechanisms.

Update your privacy policy to be GDPR-compliant: explain your lawful basis, describe people's rights, explain data retention, and provide contact information for your data protection officer or privacy contact. Build systems to respond to data subject rights requests within thirty days. Assess whether you need a Data Protection Impact Assessment. Evaluate your data transfer mechanisms — if you're storing EU data on US servers, you need a legal basis for that transfer and you should understand the current regulatory uncertainty.

Designate someone — internally or through external counsel — to own GDPR compliance. GDPR requires a Data Protection Officer in some cases, but most US companies designate someone who reports to leadership about GDPR obligations and manages compliance infrastructure. GDPR compliance for US companies is genuinely complex and genuinely mandatory. But the complexity is navigable. Thousands of US companies serve EU customers and maintain GDPR compliance. Understanding what applies, building systems to honor obligations, and taking it seriously is the difference between a manageable compliance program and a legal landmine.

Frequently Asked Questions

Does GDPR apply to my US company if I don't have a European office?
Yes. GDPR applies based on whose data you process, not where you're located. If you process personal data of EU residents — through a website accessible to Europeans, EU customers, or EU job applicants — you're in scope regardless of whether you have any European presence.

What's the difference between a data controller and a data processor under GDPR?
A controller decides what data to collect, how to use it, and how long to keep it. A processor handles data on behalf of a controller under the controller's instructions. Your obligations differ depending on your role. Many US companies are controllers for their own customer data and processors when handling data on behalf of clients.

How do I legally transfer EU personal data to US servers?
The primary mechanism is Standard Contractual Clauses (SCCs), supplemented with additional safeguards like encryption, data residency commitments, or other measures addressing US surveillance concerns. The legal landscape around EU-US transfers remains uncertain following the Schrems II ruling — consult legal counsel familiar with current transfer mechanisms.

What's the maximum GDPR fine?
Up to 4% of global annual revenue or 20 million euros, whichever is higher. These are not theoretical maximums — regulators have imposed fines in the hundreds of millions of euros against major companies. Fines are assessed based on severity, duration, data types involved, and whether the violation was intentional or negligent.

Do I need a Data Protection Officer (DPO)?
GDPR requires a DPO if your core activities involve large-scale systematic monitoring of individuals or large-scale processing of special category data. Most US companies processing standard customer data don't need a formal DPO, but designating someone to own GDPR compliance is operationally essential regardless of the legal requirement.

Fully Compliance provides educational content about IT compliance and privacy regulations. This article reflects general information about GDPR as of its publication date. Regulations, penalties, and requirements evolve — consult a qualified compliance professional for guidance specific to your organization.