GDPR Compliance for US Companies: 2026 Guide

GDPR compliance applies to US companies whenever they offer goods or services to people in the European Economic Area (EEA) or monitor their behavior, regardless of whether the company has any physical presence in Europe. This extraterritorial reach is set out in Article 3 of the General Data Protection Regulation, and it has been enforced against US-headquartered companies with fines ranging from thousands of euros to the record €1.2 billion levied against Meta in 2023.

If your SaaS product accepts EU customers, your marketing pixels fire on EU visitors, your mobile app has European users, or your B2B service processes personal data about employees at European companies, GDPR most likely applies to you. This guide translates the regulation into the specific requirements that matter for a US business and maps them to the compliance frameworks you may already operate under.

Does GDPR Apply to Your US Business?

The answer is yes if any of the following is true:

• You offer goods or services to individuals located in the EEA, whether paid or free, in English or any other language
• You monitor the behavior of individuals in the EEA (analytics, tracking pixels, cookies, session recording, behavioral advertising)
• You process personal data on behalf of another organization that is subject to GDPR (you are a processor for an EU controller)

The offering-goods test does not require you to charge Europeans or ship to Europe. The European Data Protection Board's Guidelines 3/2018 clarify that factors like translating your site into European languages, accepting euros or pounds as payment currency, referencing EU customers, or running a domain under an EU country code are strong indicators of intent to offer services in the EEA.

Running Google Analytics with visitors from the EU counts as "monitoring behavior." Serving ads to European visitors via Google Ads or Meta counts. Letting a European sign up for a free trial counts.

The question is rarely whether GDPR applies. The question is which specific obligations apply and how to satisfy them efficiently.

Core GDPR Obligations for US Companies

GDPR imposes more than 80 distinct obligations across 99 articles, but for most US companies the practical compliance program reduces to eight categories.

1. Establish a lawful basis for every processing activity. GDPR Article 6 recognizes six lawful bases: consent, contract, legal obligation, vital interests, public interest, and legitimate interests. You cannot process personal data without at least one lawful basis, and the basis must be documented.

2. Provide transparent privacy notices. Articles 13 and 14 require that you tell individuals, at the time of data collection, what you will do with their data, why, how long you will keep it, who you will share it with, and what rights they have. A compliant privacy notice is typically 1,500 to 3,000 words and is updated whenever material processing changes occur.

3. Respond to data subject rights requests (DSARs). EU residents have rights to access, correct, delete, port, and restrict the processing of their personal data, plus the right to object to direct marketing. Responses are generally due within one month, extendable to three months for complex requests. Most companies need a formal intake process, verification workflow, and fulfillment system to respond at scale.

4. Sign Data Processing Agreements (DPAs) with every vendor that processes EU data. GDPR Article 28 requires a written contract (the DPA) between controller and processor that includes specific mandatory provisions. A DPA is the European equivalent of a HIPAA Business Associate Agreement and follows a similar pattern.

5. Implement appropriate technical and organizational security measures. Article 32 requires "appropriate" security proportionate to the risk, including (where appropriate) pseudonymization, encryption, confidentiality, integrity, availability, resilience, regular testing, and incident response capability.

6. Notify regulators of personal data breaches within 72 hours. Article 33 sets a strict 72-hour clock to notify the supervisory authority after becoming aware of a breach that is likely to result in risk to individuals. High-risk breaches also require individual notification under Article 34.

7. Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing. Article 35 requires a formal risk assessment before starting processing that is likely to result in a high risk to individuals, such as large-scale profiling, systematic monitoring, or large-scale processing of special category data.

8. Govern international data transfers. Sending personal data from the EEA to the US requires a transfer mechanism. Since July 2023, the primary route is the EU-US Data Privacy Framework, which re-certifies eligible US companies to receive EU data. The secondary route is Standard Contractual Clauses (SCCs) paired with a Transfer Impact Assessment.

GDPR Territorial Triggers and the "Establishment" Test

Beyond Article 3, GDPR applies more broadly when a US company has an "establishment" in the EEA. An establishment is typically a subsidiary, branch office, or other stable arrangement, even without legal personality, that pursues activities in the territory.

Case law has interpreted this broadly. A single sales agent in Germany can constitute an establishment if the agent engages in EU-targeted business. A server farm in Ireland hosting EU customer data for a US company, on its own, usually does not, because the server is not pursuing activities in the territory.

The practical impact: companies with EU establishments must appoint a lead supervisory authority under Article 56 and have a higher risk of direct regulatory scrutiny. Companies without EU establishments that still fall under Article 3 must appoint an EU representative under Article 27 (unless processing is occasional and does not involve large-scale special category data).

Appointing an Article 27 representative is one of the most commonly overlooked obligations for US SaaS companies. The representative must be based in one of the EEA member states where the affected individuals live, be accessible to regulators and individuals, and maintain records of processing jointly with the controller. Third-party representative services typically charge $1,500 to $6,000 per year.

The EU-US Data Privacy Framework (DPF)

After the Schrems II ruling invalidated the prior Privacy Shield framework, EU-US transfers sat in legal limbo from July 2020 until July 10, 2023, when the European Commission adopted a new adequacy decision for the US based on the Data Privacy Framework.

The DPF allows certified US companies to receive personal data from the EEA without additional transfer mechanisms, as long as they adhere to the Framework principles (notice, choice, accountability for onward transfer, security, data integrity, access, and recourse).

Who is eligible for DPF self-certification:

• US organizations subject to the jurisdiction of the Federal Trade Commission or Department of Transportation
• Self-certification is renewed annually
• Fees range from $250 to $3,250 per year depending on company revenue

Who is not eligible:

• Banks and insurance companies (FTC jurisdiction does not extend to them)
• Nonprofits (not under FTC jurisdiction, with limited exceptions)
• Telecommunications common carriers
• Labor and agricultural organizations

For companies ineligible for DPF, the alternative is executing Standard Contractual Clauses (SCCs) with every data sender and completing a Transfer Impact Assessment under the European Data Protection Board's 2021 recommendations.

GDPR Overlap with SOC 2, HIPAA, and ISO 27001

One reason GDPR feels daunting is that most US companies already operate under overlapping security frameworks. The good news is that the control overlap is substantial. Building GDPR on top of existing SOC 2 or ISO 27001 programs is usually faster and cheaper than building it from scratch.

| Capability Area | GDPR Article | SOC 2 Criteria | HIPAA Rule | ISO 27001 Annex A | |---|---|---|---|---| | Risk assessment | Art. 35 (DPIA) | CC3 | Security Rule 164.308(a)(1) | A.5.1, A.5.9 | | Access control | Art. 32 | CC6.1 | Security Rule 164.312(a) | A.5.15, A.5.16, A.5.18 | | Encryption | Art. 32 | CC6.7 | Security Rule 164.312(e) | A.8.24 | | Incident response | Art. 33-34 | CC7.3 | Breach Notification Rule | A.5.24, A.5.25, A.5.26 | | Vendor management | Art. 28 | CC9.2 | BAA Rule | A.5.19, A.5.20, A.5.23 | | Logging and monitoring | Art. 32 | CC7.1 | Security Rule 164.312(b) | A.8.15, A.8.16 | | Data retention | Art. 5(1)(e) | PI1.5 | Various | A.8.10 | | Security awareness training | Art. 39 | CC1.4 | Security Rule 164.308(a)(5) | A.6.3 |

Building a control framework once and mapping it to multiple standards is a common strategy for mid-market and enterprise companies. GRC platforms like Vanta, Drata, and Sprinto offer crosswalk mappings that surface GDPR evidence from existing SOC 2 or ISO 27001 controls.

The gaps that are genuinely new for GDPR beyond a typical SOC 2 program:

• Data subject rights intake and response workflow
• Formal lawful basis documentation and consent management
• Article 30 records of processing activities (ROPA)
• DPIA methodology and templates
• Transfer Impact Assessments for non-DPF transfers
• EU representative or Data Protection Officer designations
• Cookie consent management and tracking pixel governance

Budget 150 to 400 hours of internal work to close these gaps for a typical SaaS company, plus $15,000 to $50,000 in external legal review for a comprehensive privacy program.

Enforcement and Fines: What US Companies Actually Pay

GDPR's maximum fines are dramatic (up to 4 percent of global annual revenue or €20 million, whichever is higher) but most enforcement falls well below that ceiling. The pattern of enforcement against US companies reveals where the real risks sit.

High-profile US company fines since 2020:

| Year | Company | Fine | Primary Violation | |---|---|---|---| | 2023 | Meta (Ireland) | €1.2 billion | Unlawful US data transfers | | 2022 | Meta | €405 million | Instagram children's privacy | | 2022 | Google (Ireland) | €390 million | Cookie consent failures | | 2021 | Amazon (Luxembourg) | €746 million | Advertising practices | | 2021 | WhatsApp (Ireland) | €225 million | Transparency failures | | 2019 | Google | €50 million | Transparency and consent |

The common thread across the top fines is not security breaches but consent, transparency, and international transfer failures. This is the opposite of what most US companies prepare for. A SOC 2 audit will not catch a weak cookie consent banner or a lawful basis gap.

More typical SMB enforcement actions involve fines of €5,000 to €250,000 and are most often triggered by complaints (not proactive audits) in these categories:

• Unauthorized email marketing (consent failures)
• Excessive CCTV or employee monitoring
• Failure to respond to data subject access requests
• Publishing personal data online without legal basis
• Data breach without timely notification

Most complaint-driven investigations begin with a single data subject complaint to a national supervisory authority. Once opened, the authority has broad audit powers including on-site inspections.

Building a Minimum Viable GDPR Program

For a US SaaS company with EU customers, a minimum viable GDPR program typically includes:

1. Published privacy notice compliant with Articles 13 and 14
2. Cookie consent banner with granular controls (strictly necessary, functional, analytics, marketing)
3. Data subject rights intake form and documented response process
4. Article 30 records of processing activities (ROPA)
5. Data Processing Agreements with all vendors processing personal data
6. Transfer mechanism in place (DPF certification or SCCs)
7. Breach response playbook with 72-hour notification workflow
8. EU representative (if required by Article 27)
9. Periodic review cadence (annual at minimum)

Typical budget for a 50-person SaaS company:

| Component | Typical Cost | |---|---| | Legal review of privacy notice and DPAs | $8,000 to $25,000 | | Consent management platform (OneTrust, Cookiebot, Osano) | $3,000 to $20,000 per year | | EU representative service | $1,500 to $6,000 per year | | DSAR management platform (optional) | $5,000 to $30,000 per year | | DPF self-certification | $250 to $3,250 per year | | Internal privacy program setup (initial) | 150 to 400 hours |

Companies that already operate SOC 2 Type 2 typically reach GDPR readiness in three to six months. Companies starting from scratch should plan for six to twelve months.

Frequently Asked Questions

Does GDPR apply if we only have EU users who signed up for a free account?

Yes. Free users are still data subjects, and offering a free service in the EU meets the "offering of goods or services" test under Article 3. Paid status is irrelevant.

Do we need an EU-based Data Protection Officer (DPO)?

Only if your processing meets specific thresholds: you are a public authority, your core activities involve large-scale systematic monitoring, or your core activities involve large-scale processing of special category data. Most SaaS companies do not need a formal DPO but should still designate an internal privacy lead.

How do we handle GDPR for EU customers after Brexit?

The UK has its own UK GDPR, which is almost identical to the EU GDPR. US companies with UK customers need to comply with UK GDPR as well, including a UK representative under UK Article 27. The EU-US DPF does not cover UK transfers; the UK-US Data Bridge (an extension of DPF) handles that route since 2023.

Can we rely on IP geolocation to block EU users and avoid GDPR?

In theory yes, but in practice this is fragile. VPN users, travelers, and EU residents with US addresses can still sign up. Most companies decide it is cheaper to comply with GDPR than to maintain reliable geo-blocking. Courts have also suggested that attempting to block EU users while collecting some data during the block attempt may itself trigger GDPR.

What's the relationship between GDPR and CCPA?

GDPR is a full privacy law covering all personal data of EEA residents. CCPA (now expanded as CPRA) is a US state law covering personal information of California residents. They overlap substantially on rights like access, deletion, and portability, but differ on consent requirements, lawful basis frameworks, and regulatory enforcement. Most companies build a combined privacy program that satisfies both.

How long should we retain personal data under GDPR?

GDPR requires data to be kept no longer than necessary for the stated purposes. There is no universal retention period. Retention schedules must be documented, proportionate, and connected to a specific lawful purpose. Common ranges: 6 months to 3 years for marketing prospects, 7 years for tax records, indefinite for anonymized analytics (if truly anonymized).

Will GDPR non-compliance affect SOC 2 or ISO 27001 certification?

Not directly. SOC 2 and ISO 27001 auditors assess your claimed controls, not GDPR specifically. However, if your SOC 2 scope includes privacy commitments and you fail to meet them, that is a finding. ISO 27701 (the privacy extension of ISO 27001) is the cleaner international route for certifying your privacy program.