COMPLIANCE GUIDE

GDPR Compliance Guide for US Companies

Published January 2025 · 13 min read

Does GDPR Apply to Your US Company?

Yes, if you offer goods or services to EU residents or monitor their behavior. GDPR has extraterritorial scope, meaning US companies must comply when processing EU personal data—regardless of where your company is located.

GDPR Applies If You:

  • • Have EU customers or users (even if you're US-based)
  • • Target marketing to EU residents
  • • Track behavior of individuals in the EU (cookies, analytics)
  • • Process payment from EU customers in Euros
  • • Have a .eu domain or EU phone number

Key GDPR Principles

Lawfulness, Fairness & Transparency

Process data lawfully with valid legal basis, be fair to data subjects, and transparent about processing activities.

Purpose Limitation

Collect data for specified, explicit purposes only. Don't use it for incompatible purposes later.

Data Minimization

Only collect data that's adequate, relevant, and necessary for your stated purposes.

Accuracy

Keep personal data accurate and up to date. Erase or rectify inaccurate data without delay.

Storage Limitation

Keep data only as long as necessary for processing purposes. Implement retention policies.

Integrity & Confidentiality

Ensure appropriate security including protection against unauthorized processing, loss, or damage.

Data Subject Rights

EU individuals have the following rights you must support:

  • Right to Access: Provide copy of personal data upon request (within 30 days)
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure ('Right to be Forgotten'): Delete data when no longer necessary
  • Right to Restriction: Limit processing in certain circumstances
  • Right to Data Portability: Provide data in machine-readable format
  • Right to Object: Stop processing for direct marketing or legitimate interests
  • Rights Related to Automated Decision-Making: Opt out of automated profiling

US-EU Data Transfers

Post-Schrems II, transferring EU personal data to the US requires valid transfer mechanisms:

EU-US Data Privacy Framework (DPF)

Replaced Privacy Shield in 2023. US companies can self-certify to enable EU data transfers. Must commit to privacy principles and enforcement by FTC/DOT.

Standard Contractual Clauses (SCCs)

EU Commission-approved contract templates. Must conduct Transfer Impact Assessment (TIA) to ensure adequate protection in destination country.

Penalty Structure

Tier 1 Violations

Up to €10M or 2% of global revenue (whichever is higher)

Examples: Processor obligations, certification bodies, monitoring authorities

Tier 2 Violations

Up to €20M or 4% of global revenue (whichever is higher)

Examples: Core principles, data subject rights, international transfers

Implementation Roadmap for US Companies

  1. 1. Data Mapping (Weeks 1-2): Identify what EU personal data you process and where it flows
  2. 2. Legal Basis (Week 3): Establish lawful basis for each processing activity (consent, contract, legitimate interest)
  3. 3. Privacy Notices (Week 4): Update privacy policy to meet GDPR transparency requirements
  4. 4. Data Subject Rights (Weeks 5-6): Implement processes to handle access, deletion, and portability requests
  5. 5. Security Measures (Weeks 7-8): Implement technical and organizational measures (encryption, access controls, DPIAs)
  6. 6. Vendor Management (Weeks 9-10): Ensure processors have DPAs, validate their GDPR compliance
  7. 7. International Transfers (Week 11): Implement SCCs or DPF certification for US data transfers
  8. 8. Breach Response (Week 12): Create incident response plan with 72-hour notification requirement

Automate GDPR compliance

LowerPlane helps US companies manage GDPR compliance with automated data mapping, DSR workflows, and consent tracking.

Get Started