GDPR Compliance Checklist for US Companies: A Complete 2025 Guide
📅 Updated: May 2025⏱ 12 min read🏢 By OnDemand International Compliance Team
The bottom line: If your US company collects, processes, or monitors personal data from anyone in the European Union — even through your website — you are subject to GDPR. Non-compliance can cost up to €20 million or 4% of your global annual revenue, whichever is higher. This guide gives you a practical, actionable GDPR compliance checklist built specifically for American businesses.
€20M
Maximum GDPR fine per violation
72 hrs
Deadline to report a data breach
30 days
To respond to data subject requests
4%
Of global revenue as alternative fine cap
Does GDPR Apply to US Companies?
Many American businesses assume GDPR is a European problem for European companies. It is not. The regulation has explicit extraterritorial reach under Article 3, meaning it follows the data — not the company’s headquarters.
Your US company must comply with GDPR if any of these three conditions apply:
1. You offer goods or services to EU residents. This includes free services such as newsletters, SaaS platforms, mobile apps, and e-commerce stores that ship to the EU. A payment transaction is not required — simply making your service available to EU users triggers GDPR obligations.
2. You monitor the behaviour of EU residents. If your website uses cookies, Google Analytics, Facebook Pixel, or any tracking technology that collects data from EU visitors, you are monitoring their behaviour and GDPR applies.
3. You have a physical presence in the EU. US companies with European offices, subsidiaries, or staff based in EU member states fall within GDPR’s scope regardless of where their data is stored.
Practical rule: If EU or EEA residents’ personal data flows through your systems in any meaningful way, assume GDPR compliance is mandatory. The burden of proof falls on your company — not regulators.
GDPR vs US Privacy Laws: Key Differences
GDPR is significantly broader and stricter than most US privacy frameworks. Understanding the differences helps US companies avoid the mistake of assuming existing compliance is sufficient.
Factor
GDPR (EU)
CCPA (California)
US Federal Law
Geographic scope
30+ EU/EEA countries, single uniform standard
California residents only
No overarching federal privacy law
Applicability threshold
None — applies regardless of company size or revenue
Revenue / data volume thresholds apply
Varies by sector (HIPAA, COPPA, GLBA)
Consent standard
Explicit, affirmative opt-in required
Opt-out model — collect first, allow opt-out later
Varies widely by sector
Maximum fine
€20M or 4% of global annual revenue
Up to $7,500 per intentional violation
Varies by law
Breach notification
72 hours to supervisory authority
Expedient notification required
State laws vary; no single federal standard
The key takeaway: existing CCPA compliance does not equal GDPR compliance. US companies must maintain separate, more stringent processes for EU data subjects.
The 7 Core GDPR Principles
Every GDPR obligation flows from seven foundational principles defined in Article 5. Supervisory authorities evaluate compliance against these principles, so US companies must understand them before building any compliance programme.
1. Lawfulness, fairness, and transparency. You must have a valid legal basis for processing personal data and be transparent about your practices.
2. Purpose limitation. Data collected for one stated purpose cannot be repurposed without additional consent or lawful basis.
3. Data minimisation. Collect only what is genuinely necessary. Speculative or “just in case” data collection is not permitted.
4. Accuracy. Personal data must be kept accurate and up to date, with processes to correct or delete inaccurate records.
5. Storage limitation. Data must not be kept longer than necessary for its original purpose.
6. Integrity and confidentiality. Appropriate technical and organisational security measures must protect personal data at all times.
7. Accountability. You must be able to demonstrate compliance with all of the above. Documentation is a legal requirement — not an optional best practice.
Data Subject Rights You Must Honour
GDPR grants EU residents six enforceable rights over their personal data. US companies must implement clear processes to receive, verify, and fulfil these requests within 30 days of receipt.
Right of Access
Individuals can request a copy of all personal data you hold about them and details of how it is being used.
Right to Rectification
Individuals can request correction of inaccurate or incomplete personal data without undue delay.
Right to Erasure
Known as the “right to be forgotten” — individuals can request deletion of their data in specified circumstances.
Right to Restriction
Individuals can request that you limit how their data is used while a dispute or objection is being resolved.
Right to Data Portability
Individuals can request their data in a structured, machine-readable format for transfer to another controller.
Right to Object
Individuals can object to processing based on legitimate interests, including direct marketing and profiling.
The Complete GDPR Compliance Checklist for US Companies
Work through each category below. Every item is a substantive compliance obligation — not a recommendation. Companies that can document completion of each step are in a significantly stronger position if regulators come calling.
1. Determine Whether GDPR Applies to You
Assess whether your company offers goods or services — including free services — to individuals in the EU or EEA.
Determine whether your website or apps use tracking technologies — cookies, analytics, advertising pixels — that collect data from EU visitors.
Identify whether you act as a data controller, a data processor, or both — your obligations differ depending on your role.
2. Conduct a Data Audit and Mapping Exercise
Inventory all categories of personal data your company collects: names, email addresses, IP addresses, financial data, health information, and more.
Document where each data category is stored, who has access to it, and how it flows through your systems and to third parties.
Create and maintain a Record of Processing Activities (ROPA) — a mandatory document under Article 30 covering every data processing activity from collection to deletion.
Identify all third-party vendors, processors, and sub-processors that handle EU personal data on your behalf.
3. Establish a Lawful Basis for Every Processing Activity
Document the lawful basis for each processing activity. The six bases are: consent, contract, legal obligation, vital interests, public task, and legitimate interests.
Where relying on consent, ensure it is freely given, specific, informed, and unambiguous. Pre-ticked boxes and implied consent are explicitly prohibited under GDPR.
Implement a mechanism for users to withdraw consent as easily as they gave it — withdrawal must be a single, frictionless action.
4. Update Your Privacy Policy and Notices
Rewrite your privacy policy in plain, jargon-free language — it must disclose what data is collected, why, how long it is kept, who it is shared with, and how individuals can exercise their rights.
Make the privacy policy prominently accessible on your website. A buried or hard-to-find policy does not satisfy GDPR’s transparency requirements.
Include information about international data transfers if EU personal data is processed on US-based servers.
5. Implement Cookie Consent Management
Deploy a GDPR-compliant cookie consent banner requiring explicit opt-in before any non-essential cookies are activated.
Provide granular, category-level consent options so users can accept analytics cookies but decline advertising cookies.
Never use pre-checked boxes, cookie walls, or dark patterns to manipulate or coerce consent from users.
6. Honour Data Subject Rights
Create a clear, accessible process for EU residents to submit data subject access requests (DSARs) — by email, web form, or dedicated portal.
Implement workflows to respond to all rights requests — access, rectification, erasure, portability, restriction, and objection — within 30 days.
Log all data subject requests and your responses as part of your accountability documentation.
7. Implement Technical Security Measures
Implement encryption at rest and in transit for all systems that store or transmit EU personal data.
Enforce multi-factor authentication (MFA) for all staff who have access to systems processing personal data.
Conduct regular security assessments, vulnerability scans, and penetration testing proportionate to your data processing risk.
Embed Privacy by Design principles — build data protection considerations into the design stage of every new product, service, or system.
8. Establish a Data Breach Response Plan
Create a documented breach response procedure covering detection, containment, risk assessment, and regulatory notification steps.
Notify the relevant EU supervisory authority within 72 hours of discovering a breach that poses a risk to individuals’ rights and freedoms.
Maintain a breach log recording details of all incidents, whether or not they met the threshold for notification.
9. Manage Third-Party Vendors and Data Processors
Audit all third-party vendors that process EU personal data on your behalf and assess their GDPR compliance posture.
Sign Data Processing Agreements (DPAs) with every vendor acting as a processor — a strict requirement under Article 28.
Maintain a current register of all sub-processors and ensure they are bound by equivalent GDPR obligations.
10. Manage International Data Transfers
Rely on EU Standard Contractual Clauses (SCCs) as the primary mechanism for lawfully transferring EU personal data to US-based servers.
If applicable, participate in the EU-US Data Privacy Framework, which provides an adequacy mechanism for certified US companies.
Consider storing EU personal data on EU-based servers or EU-hosted cloud providers where technically feasible to reduce transfer compliance risk.
11. Appoint a DPO and / or EU Representative
Determine whether your company requires a Data Protection Officer (DPO) — mandatory if you conduct large-scale, systematic monitoring of individuals or process sensitive data at scale.
If you have no EU establishment but process EU personal data, appoint an EU Representative in a member state where your data subjects are located — mandatory under Article 27.
Publish the contact details of your DPO or EU Representative in your privacy policy and make them available to supervisory authorities.
12. Define Data Retention and Deletion Policies
Define specific, documented retention periods for each category of personal data. Indefinite storage is not compliant.
Implement automated deletion or anonymisation processes so personal data is purged when it is no longer needed.
Communicate retention timelines to users through your privacy policy so they understand how long their data will be kept.
13. Conduct Data Protection Impact Assessments (DPIAs)
Conduct a DPIA before launching any new project involving high-risk processing — profiling, automated decision-making, or large-scale sensitive data processing.
Document DPIA findings and mitigating measures, and consult the relevant supervisory authority if residual risk remains high after mitigation.
14. Train Staff and Build a Compliance Culture
Provide GDPR training to all employees who handle personal data, covering principles, lawful bases, data subject rights, and breach reporting obligations.
Implement written data protection policies that all staff are required to follow and acknowledge.
Run refresher training at least annually and whenever there are significant changes in GDPR guidance or enforcement priorities.
Enforcement is accelerating: US technology companies have faced some of the largest GDPR fines on record, primarily for unlawful transfer of EU user data to US-based servers. Regulators are now also targeting US AI companies for scraping EU data to train models without a valid legal basis. GDPR compliance is not a one-time project — it requires continuous monitoring and adaptation.
GDPR Penalties and Enforcement for US Companies
GDPR enforcement is not theoretical. Twitter was fined €450,000 in December 2020 for failing to notify regulators within 72 hours of a data breach — the first cross-border GDPR penalty imposed on a US-based company. Fines operate on a two-tier structure.
Tier 1 — less severe violations (record-keeping failures, breach notification delays, DPIA non-compliance): up to €10 million or 2% of global annual revenue.
Tier 2 — more severe violations (unlawful processing, violations of data subject rights, unlawful international transfers): up to €20 million or 4% of global annual revenue.
Beyond fines, supervisory authorities can issue reprimands, impose temporary or permanent processing bans, and order data to be deleted — measures that can be existential for businesses whose model relies on EU data.
Frequently Asked Questions
Does GDPR apply to US companies with no EU office?
Yes. Physical presence in the EU is not required. If your US company processes personal data of EU residents — through a website, app, SaaS product, or any other means — GDPR applies. The regulation follows the data, not the company’s location.
What counts as “personal data” under GDPR?
Personal data is any information relating to an identified or identifiable natural person. This includes names, email addresses, phone numbers, IP addresses, cookie identifiers, location data, and any other data that can directly or indirectly identify an individual.
Does my US company need a Data Protection Officer (DPO)?
A DPO is mandatory if your core activities involve large-scale, systematic monitoring of individuals or large-scale processing of special categories of data such as health, biometric, or criminal data. Other companies may appoint one voluntarily. All companies without an EU establishment must separately appoint an EU Representative.
How is GDPR consent different from US standards?
US data practices often rely on opt-out models — you collect data and allow users to opt out later. GDPR requires active, affirmative opt-in before any data is collected. Pre-ticked boxes, implied consent through continued browsing, and consent bundled into terms of service are all invalid under GDPR.
Can US companies transfer EU personal data to US servers?
Yes, but only with an adequate transfer mechanism in place. The most common approach is EU Standard Contractual Clauses (SCCs). US companies certified under the EU-US Data Privacy Framework can also use that as a transfer basis. Storing EU data on US servers without a lawful transfer mechanism is one of the most commonly penalised GDPR violations.
How long does GDPR compliance take to implement?
Small companies with limited EU data touchpoints can often achieve initial compliance within 2–4 months. Larger organisations with complex vendor ecosystems or high-volume EU data processing typically require 6–18 months for a comprehensive programme. Compliance is ongoing — it does not end at implementation.
Next Steps: Where to Start
GDPR compliance is not a one-time checkbox exercise. It is an ongoing programme requiring regular review, documentation updates, and staff training. For US companies starting out, the recommended sequence is:
1. Scope assessment — Confirm definitively whether GDPR applies and in what capacity. 2. Data audit — Map all personal data flows and create your ROPA. This single exercise typically reveals the most significant compliance gaps. 3. Legal basis review — For every processing activity, document the lawful basis and address any activities without a valid one immediately. 4. Policy and notice updates — Rewrite your privacy policy and cookie notice. 5. Technical implementation — Deploy compliant cookie consent, review security controls, and set up data subject rights workflows. 6. Vendor management — Sign or update Data Processing Agreements with all processors. 7. International transfer mechanisms — Ensure EU-to-US data transfers use Standard Contractual Clauses or another lawful mechanism. 8. Governance and training — Appoint a DPO and/or EU Representative if required, train staff, and establish ongoing monitoring.
Need Expert GDPR Compliance Support?
OnDemand International helps US companies navigate GDPR requirements — from initial scoping and data audits to full compliance programme implementation. Our specialists work with technology, SaaS, e-commerce, and financial services companies across the US.
This article is intended for informational purposes only and does not constitute legal advice. For advice specific to your organisation’s situation, consult a qualified data protection professional or legal counsel.
