GDPR Compliance Checklist for Non-EU Businesses

Q: How much can GDPR fines cost non-EU businesses?

GDPR violations can result in fines up to €20 million or 4% of annual global turnover, whichever is higher. Even businesses outside the EU face these penalties if they process EU resident data. The fine amount depends on factors like violation severity, number of affected individuals, and whether the violation was intentional.

Q: What is the GDPR compliance checklist for small businesses?

Small business GDPR compliance includes conducting data audits, updating privacy policies, implementing consent mechanisms, enabling data access and deletion requests, securing data with encryption, appointing a data protection contact, establishing breach notification procedures, and executing data processing agreements with vendors.

Q: Does my ecommerce store need GDPR compliance?

Yes, if your ecommerce store ships to EU customers, accepts payments from EU residents, or uses cookies to track EU visitors, you must comply with GDPR regardless of where your business is located. This includes proper consent mechanisms, privacy notices, data subject rights, and security measures.

Q: What happens if I ignore GDPR as a US company?

Ignoring GDPR creates serious risks: fines up to €20 million or 4% of global revenue, private litigation from data subjects, reputational damage, competitive disadvantage, and potential loss of EU business. European authorities have demonstrated willingness to enforce against US companies.

GDPR Compliance Checklist for Non-EU Businesses: Complete Guide 2025

Executive Summary: GDPR Compliance for US Businesses

GDPR applies to non-EU businesses that offer goods/services to EU residents or monitor EU data subjects
Penalties reach up to €20 million or 4% of global annual revenue for violations
Key requirements include data mapping, lawful processing bases, consent mechanisms, privacy policies, data subject rights, security measures, and breach notification procedures
Implementation timeline: 3-6 months for basic compliance, ongoing monitoring required
Essential actions: Conduct data audit, update policies, implement technical controls, appoint responsible parties, train staff
US companies must appoint an EU representative if processing substantial EU data

The General Data Protection Regulation (GDPR) represents the most comprehensive data protection framework in the world, and its impact extends far beyond European borders. If your US-based business, SaaS platform, or ecommerce store processes personal data of EU residents, GDPR compliance is not optional—it’s a legal requirement that carries significant financial and reputational consequences for non-compliance.

This comprehensive GDPR compliance checklist guides non-EU businesses through the essential requirements, providing actionable steps to achieve and maintain compliance with GDPR regulations. Whether you’re a small business owner wondering “do I need to comply with GDPR” or a compliance officer implementing data protection measures, this guide addresses the specific challenges faced by companies operating outside the European Union while serving EU customers.

Essential GDPR Compliance Checklist for Non-EU Companies

Achieving GDPR compliance requires systematic implementation of multiple requirements. This comprehensive GDPR checklist for non-EU businesses provides a structured approach to meeting your obligations.

Phase 1: Assessment and Planning

☐ Determine if GDPR applies to your business activities
☐ Identify your role (controller, processor, or both) for different data processing activities
☐ Conduct a comprehensive data audit to map all personal data flows
☐ Identify gaps between current practices and GDPR requirements
☐ Develop a compliance roadmap with timelines and responsibilities
☐ Allocate budget and resources for compliance implementation
☐ Establish a data protection governance structure

Phase 2: Documentation and Policies

☐ Create or update privacy policy for EU data subjects
☐ Develop cookie policy and implement consent management
☐ Draft data processing agreements for third-party vendors
☐ Establish records of processing activities (ROPA)
☐ Create data breach response plan and notification procedures
☐ Develop data retention and deletion policies
☐ Document data transfer mechanisms for international transfers
☐ Create internal data protection policies and procedures

Phase 3: Technical Implementation

☐ Implement consent management platform for cookie compliance
☐ Create systems for managing data subject access requests
☐ Establish data deletion and rectification capabilities
☐ Implement data portability functionality
☐ Deploy encryption for data at rest and in transit
☐ Establish access controls and authentication measures
☐ Implement logging and monitoring systems
☐ Conduct security vulnerability assessments
☐ Establish backup and disaster recovery procedures

Phase 4: Organizational Measures

☐ Appoint Data Protection Officer (DPO) or data protection contact
☐ Designate EU representative if required
☐ Conduct staff training on GDPR requirements
☐ Review and update vendor contracts
☐ Conduct Data Protection Impact Assessments (DPIAs) for high-risk processing
☐ Establish incident response team and procedures
☐ Create data protection by design and by default practices

Phase 5: Ongoing Compliance

☐ Conduct regular compliance audits and assessments
☐ Monitor regulatory changes and guidance updates
☐ Update policies and procedures as needed
☐ Refresh staff training annually
☐ Review and update vendor assessments
☐ Test incident response procedures
☐ Maintain compliance documentation
☐ Track and respond to data subject requests

Data Mapping and Inventory

Creating a comprehensive data inventory represents the foundation of any GDPR compliance program. You cannot protect data you don’t know you have, making data mapping an essential first step for non-EU businesses.

Conducting a Data Audit

A thorough data audit identifies all personal data your organization collects, processes, stores, and shares. This process reveals the complete lifecycle of data within your systems and helps identify compliance gaps.

Key elements to document during your data audit:

Data categories: Identify types of personal data collected (names, email addresses, IP addresses, payment information, behavioral data, etc.)
Data sources: Document where data originates (website forms, customer accounts, third-party integrations, cookies, APIs)
Processing purposes: Specify why each data element is collected and how it’s used
Legal basis: Determine the lawful basis for processing each data category
Data flows: Map how data moves through your systems, including transfers to third parties
Storage locations: Identify where data resides (servers, databases, cloud platforms, backup systems)
Retention periods: Document how long different data types are retained
Access controls: Identify who has access to different data categories
International transfers: Note any transfers of EU data to countries outside the European Economic Area

Creating Records of Processing Activities (ROPA)

Article 30 of the GDPR requires controllers and processors to maintain records of processing activities. This documentation provides a comprehensive overview of your data processing operations.

ROPA Requirements for Controllers: Your records must include the name and contact details of the controller, purposes of processing, categories of data subjects and personal data, categories of recipients, international transfers, retention periods, and security measures implemented.

The ROPA serves multiple purposes beyond compliance documentation. It helps identify redundant data collection, streamline data processing activities, and provides essential information for responding to data subject requests and regulatory inquiries.

Data Flow Mapping

Visual data flow diagrams illustrate how personal data moves through your organization and to external parties. These maps reveal potential compliance risks, unnecessary data transfers, and opportunities to implement data minimization principles.

Effective data flow mapping should identify collection points, internal processing systems, third-party integrations, cloud storage locations, backup systems, and eventual deletion or archival processes. This visibility enables better security planning and helps demonstrate accountability to regulators.

Establishing Legal Basis for Processing

Every data processing activity under GDPR must have a valid legal basis as outlined in Article 6. Choosing the appropriate legal basis is crucial because it determines your specific obligations and the rights available to data subjects.

Six Lawful Bases for Processing

The GDPR provides six legal bases for processing personal data. Non-EU businesses typically rely on the following:

1. Consent: The data subject has given clear, informed, and freely given consent for specific processing purposes. Consent must be granular, easy to withdraw, and properly documented. This basis works well for marketing communications and optional features.

2. Contract: Processing is necessary to fulfill a contract with the data subject or to take pre-contractual steps at their request. This basis covers essential processing for delivering services, such as processing customer orders, managing accounts, and providing support.

3. Legal Obligation: Processing is required to comply with legal requirements, such as tax regulations, accounting rules, or court orders. This basis has limited application for non-EU businesses.

4. Vital Interests: Processing is necessary to protect someone’s life. This basis has narrow application in most business contexts.

5. Public Task: Processing is needed to perform official functions or tasks in the public interest. This basis typically applies to government entities and public authorities.

6. Legitimate Interests: Processing is necessary for the legitimate interests of the controller or a third party, unless overridden by the data subject’s interests or fundamental rights. This flexible basis can justify fraud prevention, network security, internal administration, and direct marketing to existing customers.

Critical Consideration: You cannot switch between legal bases at will. Choose the most appropriate basis when you begin processing and ensure your privacy notices accurately reflect this basis. Changing legal bases requires careful consideration and may necessitate obtaining new consent or updating notifications.

When to Use Consent vs. Other Bases

While consent might seem like the safest choice, it’s not always the most appropriate legal basis. Consent requires ongoing management, creates obligations to honor withdrawal requests, and may not suit essential business functions.

Use consent for non-essential processing like marketing communications, optional product features, third-party data sharing for advertising, and cookie placement beyond strictly necessary cookies. Rely on contract for core service delivery, account management, payment processing, and customer support. Consider legitimate interests for security measures, fraud detection, network maintenance, and direct marketing to existing customers when consent is impractical.

Legitimate Interest Assessments

When relying on legitimate interests, you must conduct and document a Legitimate Interest Assessment (LIA). This three-part test evaluates whether legitimate interests justify the processing:

Purpose test: Identify a legitimate interest that is real and present, not speculative
Necessity test: Demonstrate that the processing is necessary for that interest and no less intrusive alternative exists
Balancing test: Show that your legitimate interest outweighs the data subject’s interests, rights, and freedoms

Document your LIA thoroughly, as it demonstrates accountability and provides evidence of compliance if challenged by regulators or data subjects.

Privacy Notices and Policies

Transparent communication about data practices stands at the heart of GDPR compliance. Your privacy notice serves as the primary mechanism for meeting transparency obligations and informing data subjects about their rights.

Required Elements of a GDPR-Compliant Privacy Policy

Articles 13 and 14 specify comprehensive information that must be provided to data subjects. Your privacy policy for EU data subjects must include:

Identity and contact details: Company name, address, and contact information for data protection inquiries
Data protection officer: Contact details for your DPO if you have appointed one
EU representative: Contact information for your designated EU representative if applicable
Processing purposes: Clear explanation of why you collect and use personal data
Legal basis: Specification of the lawful basis for each processing purpose
Data categories: Types of personal data you collect and process
Recipients: Categories of third parties who receive personal data
International transfers: Information about transfers outside the EU and safeguards in place
Retention periods: How long you keep different types of data
Data subject rights: Clear explanation of rights to access, rectification, erasure, restriction, portability, and objection
Right to withdraw consent: How to withdraw consent when it’s the legal basis
Right to lodge a complaint: Information about filing complaints with supervisory authorities
Automated decision-making: Information about any automated processing or profiling
Source of data: Where data comes from if not collected directly from the individual

Writing Clear and Accessible Privacy Notices

GDPR requires privacy information to be provided in a concise, transparent, intelligible, and easily accessible form using clear and plain language. Avoid legal jargon and complex terminology that obscure meaning.

Best Practices for Privacy Notices: Use layered notices that provide essential information upfront with links to detailed sections. Organize content with clear headings and subheadings. Write at a reading level accessible to your target audience. Provide notices in the languages used by your EU customers. Make privacy policies easily discoverable through prominent footer links and during data collection processes.

Timing of Privacy Notices

Privacy information must be provided at the time of data collection or, when data is obtained from other sources, within a reasonable period (generally within one month), at first communication, or before disclosure to another recipient.

For websites, this means displaying privacy information before or at the point of data collection through forms, account creation, or checkout processes. Progressive disclosure techniques can present relevant privacy information contextually as users interact with different features.

Cookie Policies and Banner Requirements

While technically part of the ePrivacy Directive rather than GDPR, cookie compliance integrates closely with data protection obligations. Non-EU businesses must obtain consent before placing non-essential cookies on EU visitors’ devices.

Your cookie policy should list all cookies used, their purposes, durations, and which third parties set them. Cookie banners must allow genuine choice, with clear options to accept or reject non-essential cookies before they are placed. Pre-ticked boxes and cookie walls that block access unless users consent are not GDPR-compliant.

Data Subject Rights

The GDPR grants individuals extensive rights over their personal data. Non-EU businesses must establish processes and systems to honor these rights efficiently and within strict timeframes.

Eight Core Data Subject Rights

1. Right to Be Informed: Individuals have the right to clear information about how their data is collected and used, fulfilled through privacy notices and policies.

2. Right of Access: Data subjects can request confirmation of whether you process their personal data and obtain copies of that data. You must respond to Data Subject Access Requests (DSARs) within one month, providing the information in a commonly used electronic format free of charge in most cases.

3. Right to Rectification: Individuals can request correction of inaccurate or incomplete personal data. You must rectify data within one month and inform any third parties who received the incorrect data.

4. Right to Erasure (Right to Be Forgotten): Data subjects can request deletion of their personal data under certain circumstances, including when data is no longer necessary for its original purpose, when consent is withdrawn, when the individual objects to processing, or when processing was unlawful.

5. Right to Restriction of Processing: Individuals can request that you stop processing their data (but not delete it) when accuracy is contested, processing is unlawful but they oppose erasure, you no longer need the data but they need it for legal claims, or while verifying legitimate grounds for processing after an objection.

6. Right to Data Portability: When processing is based on consent or contract and carried out by automated means, individuals can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

7. Right to Object: Data subjects can object to processing based on legitimate interests, direct marketing (including profiling), or processing for research or statistical purposes.

8. Rights Related to Automated Decision-Making and Profiling: Individuals have rights regarding decisions based solely on automated processing that produce legal or similarly significant effects, including the right not to be subject to such decisions in certain cases.

Implementing Data Subject Rights Processes

Create systematic procedures for handling rights requests:

Rights Management Process:

Establish clear channels for submitting requests (email address, web form, postal address)
Verify the identity of requesters to prevent unauthorized data disclosure
Log and track all requests with timestamps and status updates
Search all relevant systems and databases for personal data
Compile information in accessible, understandable formats
Coordinate with third-party processors who may hold data
Respond within one month (extendable to three months for complex requests with notification)
Document decisions regarding whether to fulfill or refuse requests
Inform data subjects of their right to complain to supervisory authorities if dissatisfied

Exceptions and Limitations

Not all rights apply in all circumstances. You may refuse certain requests when legally justified, such as when erasure would violate legal retention obligations, when restriction would impair legal claims, or when manifestly unfounded or excessive requests create undue burden.

When refusing a request, provide clear reasons for the refusal and inform the individual of their right to lodge a complaint with a supervisory authority and seek judicial remedy.

Timeline Compliance: The one-month response deadline is strict. Responding late or failing to respond constitutes a GDPR violation that can result in complaints to supervisory authorities and potential fines. Establish internal systems to track deadlines and ensure timely responses.

Security Measures

Article 32 requires appropriate technical and organizational measures to ensure data security commensurate with the risk. For non-EU businesses handling EU data, robust security is both a legal requirement and essential for maintaining customer trust.

Technical Security Measures

Implement comprehensive technical safeguards to protect personal data:

Encryption: Encrypt personal data both at rest and in transit using industry-standard protocols. Use TLS/SSL for data transmission and strong encryption algorithms for stored data.
Access controls: Implement role-based access controls that limit data access to only those employees who need it for their job functions. Use strong authentication methods including multi-factor authentication for sensitive systems.
Pseudonymization: Where feasible, process data in pseudonymized form to reduce risks associated with data breaches or unauthorized access.
Network security: Deploy firewalls, intrusion detection systems, and network segmentation to protect systems from external threats.
Regular updates: Maintain current software versions and apply security patches promptly to address known vulnerabilities.
Logging and monitoring: Implement comprehensive logging of data access and processing activities to detect and respond to security incidents.
Backup and recovery: Establish regular backup procedures and test disaster recovery plans to ensure data availability and resilience.
Secure deletion: Implement processes for securely deleting or destroying data when no longer needed, ensuring it cannot be recovered.

Organizational Security Measures

Technical controls must be complemented by organizational measures:

Security policies: Develop comprehensive information security policies covering acceptable use, password management, remote access, and incident response.
Staff training: Provide regular training to all employees who handle personal data, covering security best practices, social engineering awareness, and GDPR obligations.
Data protection by design and default: Integrate data protection considerations into system design from the beginning, implementing privacy-preserving features by default.
Vendor management: Assess the security practices of third-party processors and establish contractual security requirements.
Physical security: Secure physical access to facilities, servers, and storage media containing personal data.
Confidentiality agreements: Require all staff with access to personal data to sign confidentiality agreements.

Risk Assessment and Security Testing

Appropriate security measures depend on the risks presented by your processing activities. Conduct regular risk assessments to identify vulnerabilities and implement proportionate safeguards.

Consider factors including the nature and volume of personal data processed, sensitivity of data categories, potential impact of breaches, likelihood of security incidents, and available technical protections when determining appropriate security measures.

Testing and Validation: Regularly test the effectiveness of your security measures through vulnerability assessments, penetration testing, and security audits. Simulate breach scenarios to evaluate incident response procedures and identify weaknesses before actual incidents occur.

Data Breach Notification

Articles 33 and 34 establish strict requirements for notifying supervisory authorities and affected individuals about personal data breaches. The 72-hour notification deadline makes breach preparedness critical for GDPR compliance.

What Constitutes a Data Breach

A personal data breach is defined as a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This encompasses various incidents:

Unauthorized access to systems containing personal data
Ransomware attacks that encrypt or make data unavailable
Accidental deletion or loss of personal data
Sending data to incorrect recipients
Lost or stolen devices containing unencrypted personal data
Successful phishing attacks compromising credentials
Insider threats involving unauthorized data access or exfiltration

Notification to Supervisory Authorities

When a personal data breach is likely to result in a risk to individuals’ rights and freedoms, you must notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach.

Required breach notification contents:

Nature of the breach, including categories and approximate number of affected data subjects and data records
Name and contact details of the data protection officer or other contact point
Description of the likely consequences of the breach
Measures taken or proposed to address the breach and mitigate its effects

72-Hour Deadline: The clock starts when you become aware of the breach, not when you complete your investigation. If you cannot provide complete information within 72 hours, provide what you know and supplement with additional information later. Document why the notification was delayed if it exceeds 72 hours.

Notification to Data Subjects

When a breach is likely to result in a high risk to individuals’ rights and freedoms, you must also notify affected data subjects without undue delay. Use clear and plain language to communicate:

Nature of the breach and types of data involved
Name and contact details of the data protection officer or contact point
Likely consequences of the breach
Measures taken or proposed to address the breach
Recommendations for individuals to protect themselves

Individual notification is not required if you implemented appropriate technical protections (such as encryption rendering data unintelligible), took subsequent measures ensuring high risk is unlikely to materialize, or it would involve disproportionate effort (in which case make a public communication instead).

Breach Response Plan

Prepare for potential breaches by establishing a comprehensive incident response plan:

Breach Response Procedures:

Designate an incident response team with clear roles and responsibilities
Establish procedures for detecting and reporting potential breaches internally
Create processes for containment and recovery to limit breach impact
Develop notification templates for supervisory authorities and data subjects
Identify the lead supervisory authority for breach notifications
Establish communication protocols with legal counsel, public relations, and senior management
Maintain a breach register documenting all breaches, including those not requiring notification
Conduct post-incident reviews to identify improvements
Test the response plan regularly through tabletop exercises

Determining the Lead Supervisory Authority

For non-EU businesses without an EU establishment, determining which supervisory authority to notify can be complex. Generally, notify the authority in the EU country where you have your designated EU representative. If you don’t have an EU representative but process data of individuals in multiple member states, the one-stop-shop mechanism may apply based on where your main establishment would be if you had one in the EU.

Data Protection Officer and EU Representative

Depending on the nature and scale of your processing activities, you may need to appoint a Data Protection Officer (DPO) and/or designate an EU representative to serve as your contact point for European supervisory authorities and data subjects.

Data Protection Officer Requirements

Article 37 requires appointment of a DPO when:

Processing is carried out by a public authority (except courts acting in judicial capacity)
Core activities consist of processing operations requiring regular and systematic monitoring of data subjects on a large scale
Core activities consist of processing special categories of data or data relating to criminal convictions on a large scale

While the regulation provides limited guidance on what constitutes “large scale,” factors include the number of data subjects affected, volume of data, duration of processing, and geographical extent. Many non-EU businesses, particularly SaaS platforms and ecommerce sites with substantial EU customer bases, benefit from appointing a DPO even when not strictly required.

DPO Qualifications and Responsibilities

A DPO must have expert knowledge of data protection law and practices. This person can be a staff member or external service provider but must have appropriate resources and independence to fulfill their duties effectively.

Key DPO responsibilities include:

Monitoring GDPR compliance and advising on data protection obligations
Providing guidance on Data Protection Impact Assessments
Serving as the contact point for supervisory authorities
Acting as a contact point for data subjects regarding their rights
Conducting staff training and raising awareness
Cooperating with supervisory authorities and regulatory inquiries

The DPO must report directly to the highest management level, cannot be instructed on how to perform tasks, and must not be dismissed or penalized for performing DPO duties. Ensure the DPO has adequate resources, is involved in data protection matters, and can operate independently.

EU Representative Requirements

Article 27 requires non-EU organizations to appoint a representative in the European Union when they offer goods or services to or monitor EU data subjects, unless the processing is occasional, doesn’t include large-scale processing of special categories of data, and is unlikely to result in risks to individuals.

This requirement applies to most US businesses with EU customers, as offering services to EU residents generally involves more than occasional processing.

EU Representative Role and Selection

The EU representative acts as an additional contact point for supervisory authorities and data subjects regarding processing activities. This must be an entity or person established in one of the EU member states where your data subjects are located.

Key considerations for EU representatives:

Location: Must be established in an EU member state where you have data subjects. If you process data of individuals in multiple member states, choose a strategically appropriate location.
Mandate: The representative must be mandated in writing by your organization to handle communications with supervisory authorities and data subjects.
Responsibilities: Cooperate with supervisory authorities, respond to inquiries, and maintain records. The representative doesn’t replace your organization’s accountability but supplements it.
Publication: Include the representative’s contact details in your privacy notice alongside your own contact information.

Several specialized services provide EU representative services for non-EU businesses, offering the necessary physical presence and expertise in European data protection law.

Important Distinction: The DPO and EU representative serve different functions. The DPO focuses on internal compliance monitoring and advisory functions, while the EU representative serves as an external contact point for regulators and data subjects. Some organizations appoint the same entity to fulfill both roles, but they remain distinct legal obligations.

Third-Party Vendor Management

Most businesses rely on third-party vendors and service providers who process personal data on their behalf. Under GDPR, you remain responsible for ensuring these processors maintain appropriate data protection standards.

Controller-Processor Relationships

When you engage a processor to handle personal data on your behalf, Article 28 requires a written contract or legal act that sets out the subject matter, duration, nature, and purpose of processing, along with specific data protection obligations.

Required contractual provisions include:

Process data only on documented instructions from the controller
Ensure persons authorized to process personal data commit to confidentiality
Implement appropriate technical and organizational security measures
Engage sub-processors only with prior authorization
Assist the controller in responding to data subject rights requests
Assist with security, breach notification, and impact assessment obligations
Delete or return all personal data after services end, unless required to retain it
Make available information necessary to demonstrate compliance
Allow for and contribute to audits and inspections

Vendor Assessment and Due Diligence

Before engaging processors, conduct due diligence to verify they can meet GDPR requirements:

Vendor Assessment Checklist:

Review vendor’s security certifications (ISO 27001, SOC 2, etc.)
Evaluate data security measures and infrastructure
Assess vendor’s GDPR compliance program and documentation
Verify data processing agreement addresses all Article 28 requirements
Confirm data storage and processing locations
Understand sub-processor usage and approval processes
Review breach notification procedures and SLAs
Evaluate vendor’s ability to support data subject rights requests
Assess vendor’s data retention and deletion capabilities
Confirm insurance coverage for data protection incidents

Data Processing Agreements (DPAs)

The data processing agreement serves as the foundation of your relationship with processors. Many established SaaS providers offer standard DPAs that address GDPR requirements, but review them carefully to ensure completeness.

Key elements beyond the Article 28 requirements include specifying permitted processing locations, defining data security standards, establishing breach notification timelines, addressing liability and indemnification, outlining audit rights and procedures, and defining termination and data return processes.

Managing Sub-Processors

Processors often engage their own sub-processors to provide services. You must authorize these sub-processors either through specific written authorization or general authorization with notification requirements.

When processors use general authorization, they must inform you of planned changes allowing you to object before new sub-processors are engaged. Maintain a current list of authorized sub-processors and ensure the same data protection obligations in your contract with the processor are imposed on sub-processors.

Ongoing Vendor Monitoring

GDPR compliance requires ongoing vendor oversight, not just initial due diligence. Conduct periodic reviews of processor compliance, monitor sub-processor changes and additions, review security audit reports and certifications, track and investigate security incidents involving processors, update contracts when regulations or circumstances change, and maintain records of vendor assessments and monitoring activities.

Liability Consideration: Using a processor doesn’t transfer your GDPR obligations or liability. If a processor violates GDPR requirements, you remain liable to supervisory authorities and data subjects. Choose processors carefully and maintain robust oversight of their activities.

International Data Transfers

For US businesses, transferring personal data from the EU to the United States or other countries outside the European Economic Area triggers specific GDPR requirements under Chapter V. These provisions ensure that data protection standards travel with the data.

Transfer Mechanisms Under GDPR

The GDPR recognizes several mechanisms for legitimizing international data transfers:

Adequacy Decisions: The European Commission can determine that a third country provides adequate data protection levels. Currently, adequacy decisions exist for countries including Switzerland, the United Kingdom post-Brexit, and through the EU-US Data Privacy Framework (which replaced Privacy Shield). If transferring data to an adequate country, no additional safeguards are required.

Standard Contractual Clauses (SCCs): The European Commission has approved standardized contract terms that provide appropriate safeguards for transfers. These pre-approved clauses can be incorporated into your contracts with data importers outside the EU. The Commission updated SCCs in 2021 to reflect current legal requirements and the Schrems II decision.

Binding Corporate Rules (BCRs): Multinational organizations can establish internal policies for transfers within their corporate group. BCRs require approval from supervisory authorities and involve significant administrative burden, making them less common for smaller organizations.

Derogations: Article 49 provides limited exceptions for specific situations, including explicit consent, necessary transfers for contract performance, important public interest grounds, and legal claims. These derogations apply only in specific circumstances and cannot serve as a basis for systematic transfers.

The EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF) provides an adequacy mechanism specifically for transfers to the United States. US organizations can self-certify with the Department of Commerce that they comply with DPF principles.

Key requirements for DPF participation include self-certification with the Department of Commerce, public commitment to comply with DPF principles, annual recertification, implementation of required privacy practices, handling of complaints through designated mechanisms, and cooperation with EU data protection authorities.

Certified organizations can receive personal data from the EU without additional transfer mechanisms. Verify your vendors’ DPF certification status and maintain evidence of their participation.

October 2025 Update: The EU-US Data Privacy Framework survived its first legal challenge in September 2025 when the EU General Court dismissed an action for annulment in the Latombe v. Commission case. The framework remains legally valid and operational for data transfers as of October 2025. However, recent political developments in the United States have created some uncertainty about its long-term stability. Organizations relying on the DPF should monitor developments and consider implementing Standard Contractual Clauses as supplementary safeguards to ensure continued compliance regardless of future changes.

Implementing Standard Contractual Clauses

When adequacy decisions don’t apply, Standard Contractual Clauses provide the most practical transfer mechanism for most non-EU businesses. Implementation requires:

Execute the approved SCC modules appropriate to your relationship (controller-to-controller or controller-to-processor)
Complete the required annexes specifying data categories, processing purposes, technical and organizational measures, and sub-processors
Conduct a Transfer Impact Assessment (TIA) evaluating laws in the destination country that might impair SCC protections
Implement supplementary measures if the TIA identifies risks to data protection
Monitor ongoing compliance and reassess if circumstances change

Transfer Impact Assessments

Following the Schrems II decision, simply executing SCCs is insufficient. You must assess whether the laws and practices in the destination country might undermine the protections provided by the clauses.

The TIA evaluates government surveillance programs, data access laws, lack of meaningful redress mechanisms, and other factors that could compromise data protection. If risks are identified, implement supplementary measures such as encryption, data minimization, or technical controls that prevent governmental access.

US Business Consideration: When transferring data from the EU to the United States, assess the implications of US surveillance laws (FISA 702, Executive Order 12333) and determine whether your organization might be subject to data access requests. Many US businesses implement encryption and other technical measures to address these concerns.

Documenting Data Transfers

Maintain comprehensive documentation of international transfers including transfer mechanisms used, copies of executed SCCs or adequacy certifications, Transfer Impact Assessments, supplementary measures implemented, and data flow diagrams showing cross-border movements.

This documentation demonstrates compliance to supervisory authorities and data subjects while providing evidence of appropriate safeguards for transferred data.

Documentation Requirements

The GDPR emphasizes accountability, which means you must be able to demonstrate compliance through comprehensive documentation. Maintaining detailed records protects you during regulatory inquiries and audits while supporting effective data management.

Essential GDPR Documentation

Build and maintain a complete compliance documentation library:

Records of Processing Activities (ROPA): Comprehensive inventory of all processing activities as discussed in the data mapping section
Privacy notices and policies: Current versions provided to data subjects, with archived versions and change logs
Consent records: Evidence of consent obtained, including who consented, when, what information was provided, and the consent mechanism
Data Protection Impact Assessments: Completed DPIAs for high-risk processing activities
Legitimate Interest Assessments: LIA documentation for processing based on legitimate interests
Data processing agreements: Executed contracts with all processors and sub-processors
Standard Contractual Clauses: Completed SCCs for international data transfers
Transfer Impact Assessments: TIA documentation evaluating transfer destinations
Security policies and procedures: Technical and organizational security measures documentation
Data breach register: Record of all breaches, including those not requiring notification
Data subject rights logs: Records of rights requests, responses, and decisions
Staff training records: Evidence of GDPR training provided to employees
Vendor assessments: Due diligence documentation for processors
Audit reports: Internal and external audit findings and remediation

Data Protection Impact Assessments

Article 35 requires DPIAs before beginning processing operations that are likely to result in high risk to individuals’ rights and freedoms. High-risk processing includes systematic and extensive automated processing with legal or significant effects, large-scale processing of special categories of data, and systematic large-scale monitoring of publicly accessible areas.

A comprehensive DPIA should describe the processing operations and purposes, assess necessity and proportionality of processing, identify risks to individuals’ rights and freedoms, describe measures to address risks including security and safeguards, and demonstrate compliance with GDPR provisions.

When the DPIA identifies high residual risks that you cannot adequately mitigate, consult with the relevant supervisory authority before proceeding with the processing.

Documentation Best Practices

Effective documentation management supports compliance and regulatory response:

Documentation Tips: Store documentation in centralized, secure locations accessible to relevant personnel. Version control all documents with dates, authors, and change descriptions. Review and update documentation regularly to reflect current practices. Create documentation templates for consistency across assessments and records. Assign clear responsibility for maintaining different documentation categories. Establish retention periods for compliance documentation. Ensure documentation is readily available for regulatory inquiries or audits.

Demonstrating Accountability

Accountability means more than maintaining documentation—it requires proactively demonstrating compliance through governance structures, regular assessments, and continuous improvement.

Effective accountability practices include implementing data protection policies throughout the organization, conducting regular compliance audits and gap assessments, establishing clear governance structures with defined responsibilities, maintaining executive oversight of data protection programs, documenting decision-making processes for data protection issues, responding promptly to compliance gaps or incidents, and demonstrating continuous improvement in data protection practices.

Penalties and Enforcement

Understanding GDPR enforcement helps prioritize compliance efforts and assess the business risk of non-compliance. European data protection authorities have demonstrated willingness to impose substantial fines on organizations worldwide, including many US companies.

GDPR Fine Structure

The GDPR establishes two tiers of administrative fines:

Lower tier violations (up to €10 million or 2% of annual global turnover): Include failures related to processors’ obligations, certification body requirements, monitoring body obligations, and some general provisions violations.

Higher tier violations (up to €20 million or 4% of annual global turnover): Include violations of basic data processing principles, data subject rights, international transfer requirements, and certain other core provisions.

Supervisory authorities determine the actual fine amount based on multiple factors including violation severity and duration, number of affected data subjects, extent of damage, intentional or negligent nature, actions taken to mitigate damage, history of previous violations, cooperation with authorities, affected data categories, and how the authority learned of the violation.

Global Reach: European supervisory authorities have jurisdiction over any organization processing EU residents’ data, regardless of physical location. Fines are based on global annual revenue, not just EU operations. Ignoring GDPR obligations doesn’t insulate non-EU businesses from enforcement.

Notable Enforcement Actions

European data protection authorities have imposed significant fines on organizations for various violations. Major tech companies have received fines in the hundreds of millions of euros for violations related to consent mechanisms, transparency, data subject rights, and cross-border data transfers. Smaller organizations have faced fines proportionate to their size, demonstrating that enforcement extends beyond large corporations.

Common violation types resulting in fines include insufficient legal basis for processing, inadequate security measures leading to data breaches, failure to respect data subject rights, unlawful international data transfers, lack of valid consent for marketing, insufficient transparency in privacy notices, excessive data collection or retention, and failure to conduct required impact assessments.

Beyond Financial Penalties

Administrative fines represent only one enforcement tool. Supervisory authorities can also issue warnings and reprimands, order processing operations to comply with GDPR, order communication of breaches to data subjects, impose temporary or permanent processing bans, and order erasure of data.

Additionally, data subjects can pursue private litigation for damages caused by GDPR violations, creating potential liability beyond regulatory enforcement. The combination of regulatory penalties, litigation risk, and reputational damage makes GDPR compliance a business imperative.

Enforcement Trends

Enforcement activity has increased significantly since GDPR took effect. Key trends include:

Growing number of complaints from data subjects exercising their rights
Increased cooperation between supervisory authorities across member states
Focus on high-profile enforcement actions against major technology companies
Attention to cookie consent and tracking technologies compliance
Scrutiny of international data transfers, especially to the United States
Enforcement against organizations of all sizes, including small and medium businesses

For non-EU businesses, the lesson is clear: GDPR enforcement affects organizations worldwide, and compliance should be treated as a priority rather than an optional consideration.

Step-by-Step Implementation Guide

Implementing GDPR compliance can seem overwhelming, but a structured approach makes the process manageable. This step-by-step guide provides a practical roadmap for non-EU businesses building their compliance program.

Phase 1: Initial Assessment (Weeks 1-2)

Step 1: Confirm whether GDPR applies to your business by evaluating whether you offer goods or services to EU residents or monitor their behavior.

Step 2: Identify your role (controller, processor, or both) for different data processing activities in your organization.

Step 3: Assemble a compliance team including representatives from legal, IT, operations, and executive leadership.

Step 4: Allocate initial budget and resources for compliance implementation.

Phase 2: Data Mapping and Gap Analysis (Weeks 3-6)

Step 5: Conduct comprehensive data inventory mapping all personal data your organization collects, processes, stores, and shares.

Step 6: Create Records of Processing Activities (ROPA) documenting data flows, purposes, legal bases, and recipients.

Step 7: Identify gaps between current practices and GDPR requirements across all obligations.

Step 8: Assess risks associated with current processing activities and prioritize compliance actions.

Phase 3: Policy and Documentation Development (Weeks 7-10)

Step 9: Update or create privacy policies for EU data subjects addressing all transparency requirements.

Step 10: Develop cookie policy and consent management strategy.

Step 11: Create data processing agreements template for vendor relationships.

Step 12: Establish data breach response plan and notification procedures.

Step 13: Develop data retention and deletion policies based on processing purposes.

Step 14: Create internal data protection policies and procedures for staff.

Phase 4: Technical Implementation (Weeks 11-16)

Step 15: Implement consent management platform for website cookie compliance.

Step 16: Create systems and workflows for managing data subject rights requests.

Step 17: Establish secure data deletion and retention capabilities.

Step 18: Deploy encryption for personal data at rest and in transit.

Step 19: Implement access controls, authentication measures, and activity logging.

Step 20: Conduct security vulnerability assessments and remediate findings.

Phase 5: Organizational Measures (Weeks 17-20)

Step 21: Decide whether to appoint a Data Protection Officer based on your processing activities.

Step 22: Designate EU representative if required by Article 27.

Step 23: Conduct staff training on GDPR requirements and your organization’s policies.

Step 24: Review and update contracts with existing vendors, executing data processing agreements.

Step 25: Conduct Data Protection Impact Assessments for high-risk processing activities.

Step 26: Implement supplementary measures for international data transfers if needed.

Phase 6: Testing and Validation (Weeks 21-24)

Step 27: Test data subject rights processes by submitting internal test requests.

Step 28: Validate breach notification procedures through tabletop exercises.

Step 29: Audit consent management implementation across all channels.

Step 30: Review all documentation for completeness and accuracy.

Step 31: Conduct compliance audit against GDPR requirements checklist.

Phase 7: Ongoing Compliance

Step 32: Establish schedule for regular compliance reviews and updates.

Step 33: Monitor regulatory guidance and enforcement trends.

Step 34: Maintain documentation and records as requirements evolve.

Step 35: Conduct annual refresher training for staff.

Implementation Timeline: This implementation plan spans approximately 24 weeks for comprehensive compliance. However, timelines vary based on organization size, complexity, and existing data protection maturity. Prioritize critical requirements like consent management, security measures, and data subject rights capabilities for initial phases.

Frequently Asked Questions

Do US businesses need to comply with GDPR?

Yes, US businesses must comply with GDPR if they offer goods or services to EU residents or monitor the behavior of EU residents, regardless of whether the business has a physical presence in the EU. The GDPR has extraterritorial reach, meaning it applies based on where your customers or users are located, not where your business operates. Simply having EU visitors to your website or EU customers using your services creates GDPR obligations.

What are the main GDPR requirements for non-EU companies?

Non-EU companies must implement lawful data processing bases, obtain explicit consent where required, provide clear privacy notices, enable data subject rights (access, erasure, rectification, portability), appoint an EU representative when processing substantial EU data, implement appropriate security measures, report data breaches to supervisory authorities within 72 hours when they pose risks, and maintain comprehensive records of processing activities. These requirements apply equally to organizations inside and outside the EU.

How much can GDPR fines cost non-EU businesses?

GDPR violations can result in administrative fines up to €20 million or 4% of annual global turnover, whichever amount is higher. These fines apply to businesses worldwide, including those outside the EU. The fine amount depends on factors like violation severity, number of affected individuals, duration of non-compliance, and whether the violation was intentional or negligent. European supervisory authorities have demonstrated willingness to impose substantial fines on US companies and other non-EU organizations.

What is the GDPR compliance checklist for small businesses?

Small business GDPR compliance starts with conducting a data audit to identify all personal data collected and processed. Update your privacy policy to include all required transparency elements. Implement a consent management system for your website cookies and marketing. Create processes for handling data subject rights requests including access, deletion, and rectification. Secure personal data with encryption and access controls. Appoint a data protection contact person. Establish data breach notification procedures. Execute data processing agreements with any vendors who handle customer data. Document your processing activities and legal bases. Train staff on GDPR requirements and your policies.

Does my ecommerce store need GDPR compliance?

Yes, if your ecommerce store ships products to EU customers, accepts payments from EU residents, or uses cookies and analytics to track EU visitors, you must comply with GDPR regardless of where your business is located. This includes implementing proper consent mechanisms for cookies, providing GDPR-compliant privacy notices, honoring data subject rights, securing customer data appropriately, and potentially appointing an EU representative. The GDPR applies to online retailers worldwide who serve European customers.

Do I need to appoint an EU representative?

Most non-EU businesses serving EU customers must appoint an EU representative under Article 27. The requirement applies when you offer goods or services to or monitor EU data subjects, unless your processing is occasional, doesn’t include large-scale processing of special categories of data, and is unlikely to result in risks to individuals. For typical US businesses with EU customers or users, the requirement generally applies. The EU representative serves as a contact point for supervisory authorities and data subjects regarding your processing activities.

How do I transfer data from the EU to the US under GDPR?

To transfer personal data from the EU to the United States, you can rely on the EU-US Data Privacy Framework if your organization is certified, or implement Standard Contractual Clauses approved by the European Commission. When using SCCs, you must also conduct a Transfer Impact Assessment evaluating US surveillance laws and implement supplementary measures like encryption if risks are identified. Alternative mechanisms include obtaining explicit consent for specific transfers or relying on other limited derogations under Article 49, though these apply only in specific circumstances.

What happens if I ignore GDPR as a US company?

Ignoring GDPR as a US company creates serious legal and business risks. European supervisory authorities can impose fines up to €20 million or 4% of global revenue on non-EU businesses. They have demonstrated willingness to enforce against US companies. Additionally, you face potential private litigation from data subjects, reputational damage that can impact customer trust, competitive disadvantage compared to compliant competitors, and potential loss of EU business partnerships or customers. The GDPR has extraterritorial reach specifically designed to prevent organizations from avoiding compliance simply by operating outside the EU.

How long does GDPR compliance implementation take?

GDPR compliance implementation typically takes 3-6 months for basic compliance, depending on your organization’s size, complexity, and existing data protection practices. Small businesses with straightforward data processing may achieve initial compliance faster, while larger organizations with complex data flows need more time. The process includes data auditing, policy development, technical implementation, staff training, and vendor management. Remember that GDPR compliance is not a one-time project but requires ongoing maintenance, monitoring, and updates as your business and regulatory requirements evolve.

What’s the difference between GDPR and CCPA?

While both regulations protect personal data, GDPR (European) and CCPA (California) differ significantly. GDPR applies based on where data subjects are located, while CCPA applies based on where the business operates and meets certain thresholds. GDPR requires a lawful basis for all processing, while CCPA allows processing with opt-out rights. GDPR provides more comprehensive data subject rights, stricter consent requirements, and significantly higher maximum fines. GDPR applies to businesses of any size serving EU residents, while CCPA has revenue and data volume thresholds. If you serve both European and California customers, you need to comply with both regulations, though GDPR is generally more stringent.

Conclusion: Taking Action on GDPR Compliance

GDPR compliance represents a significant undertaking for non-EU businesses, but it’s both a legal requirement and an opportunity to demonstrate commitment to data protection and customer trust. For US companies, SaaS platforms, and ecommerce stores serving European customers, ignoring GDPR obligations creates unacceptable legal, financial, and reputational risks.

The comprehensive GDPR compliance checklist outlined in this guide provides a roadmap for achieving and maintaining compliance. Start with fundamental requirements like data mapping, privacy notices, consent management, and data subject rights processes. Build on this foundation with robust security measures, vendor management, documentation practices, and ongoing monitoring.

Key takeaways for non-EU businesses:

GDPR applies to you if you process EU residents’ data, regardless of your location
Compliance requires both technical and organizational measures across your entire data lifecycle
Documentation and accountability are essential—you must demonstrate compliance, not just achieve it
Vendor relationships require careful management through data processing agreements and ongoing oversight
Implementation takes time but can be broken into manageable phases
Compliance is ongoing, not a one-time project—regular reviews and updates are necessary
The cost of compliance is significantly less than the cost of enforcement action and reputational damage

Begin your GDPR compliance journey today by assessing whether the regulation applies to your business, conducting a data audit to understand your current state, identifying gaps between current practices and GDPR requirements, and developing a prioritized implementation roadmap. Consider engaging legal counsel or data protection consultants with GDPR expertise to support your compliance program, particularly for complex issues like international transfers or high-risk processing activities.

Remember that GDPR compliance is not just about avoiding penalties—it’s about respecting individuals’ rights, building customer trust, and implementing responsible data practices that benefit your business long-term. Organizations that embrace GDPR requirements often find that improved data management, enhanced security, and stronger governance create operational benefits beyond regulatory compliance.

Legal Disclaimer: This guide provides general information about GDPR requirements for non-EU businesses but does not constitute legal advice. GDPR interpretation and application depend on specific circumstances, and requirements continue to evolve through regulatory guidance and enforcement decisions. Consult qualified legal counsel specializing in EU data protection law for advice specific to your organization’s situation.

Resources and Further Reading

This comprehensive guide was created using authoritative sources from official regulatory bodies, legal texts, and data protection authorities. Below are the key resources consulted in the development of this article.

Official GDPR Documentation

GDPR-Info.eu – Complete official text of the General Data Protection Regulation with article-by-article breakdown
EUR-Lex Official GDPR Text – European Union official legislation database containing Regulation (EU) 2016/679
GDPR-Text.com – Searchable GDPR regulation text with recitals and article cross-references

European Data Protection Board (EDPB)

EDPB Guidelines and Recommendations – Official guidance on GDPR interpretation and implementation
Guidelines 9/2022 on Personal Data Breach Notification (PDF) – Comprehensive guidance on 72-hour breach notification requirements
Guidelines 3/2018 on Territorial Scope – Guidance on GDPR applicability to non-EU businesses

European Commission

European Commission Data Protection – Official EU Commission data protection resources and policy information
Adequacy Decisions – List of countries and frameworks deemed adequate for data transfers
EU-U.S. Data Privacy Framework Adequacy Decision – July 2023 adequacy decision for EU-US data transfers

Court of Justice of the European Union (CJEU)

Schrems II Judgment (C-311/18) – Landmark 2020 decision on international data transfers and Privacy Shield invalidation
Latombe v. Commission (T-553/23) – September 2025 decision upholding EU-US Data Privacy Framework validity

National Data Protection Authorities

UK Information Commissioner’s Office (ICO) – Comprehensive GDPR guidance and resources
CNIL (France) – French data protection authority with extensive GDPR documentation
Data Protection Commission (Ireland) – Irish DPC, lead authority for many tech companies

GDPR Compliance Resources

GDPRhub – Comprehensive wiki with GDPR articles, case law, and DPA decisions
GDPR Enforcement Tracker – Database of GDPR fines and enforcement actions across EU member states
Data Privacy Framework (DPF) Self-Certification – U.S. Department of Commerce DPF program information

Standard Contractual Clauses (SCCs)

European Commission SCCs – Official standard contractual clauses for international data transfers
SCC Templates – Downloadable SCC modules for controller-to-controller and controller-to-processor transfers

Legal Analysis and Commentary

DLA Piper Privacy & Cybersecurity – International law firm GDPR analysis and guidance
Hogan Lovells Privacy Practice – Data protection legal analysis and case commentary
Bird & Bird Data Protection – Technology and data protection law expertise
CMS Law GDPR Expert Guide – Comprehensive GDPR implementation guide

Compliance Tools and Services

Privacy Statement Generator – Tools for creating GDPR-compliant privacy policies and documentation
Iubenda GDPR Compliance – Cookie consent and privacy policy solutions
Usercentrics Knowledge Hub – Consent management and GDPR compliance resources

Industry Publications

International Association of Privacy Professionals (IAPP) – GDPR resources, training, and certifications
Data Privacy & Security Insider – News and analysis on data protection developments

EU Representative Services

GDPR Local – Article 27 EU representative services and guidance
EU Business Partners – EU representative appointment services for non-EU businesses

Using These Resources: These sources represent the most authoritative and current information available on GDPR compliance as of October 2025. We recommend bookmarking the EDPB guidelines and your relevant national data protection authority for ongoing compliance monitoring. Official sources should always be prioritized over secondary commentary when interpreting requirements.

Note on Link Accuracy: While we strive to maintain accurate links to external resources, websites occasionally reorganize their content. If you encounter a broken link, please search for the resource by name on the respective organization’s website. All resources listed are from authoritative sources including EU institutions, national regulators, and established legal experts.