Guide to GDPR Compliance for US Companies

Published/Updated June 21, 2021

Are U.S. Companies Affected by the GDPR?

The European Union’s General Data Protection Regulation applies to any organization that operates in the EU or that collects or processes the personal data of EU citizens. So if a business in the United States (or anywhere else in the world, for that matter) does handle such data — yes, the GDPR can apply to you. 

That said, the exact compliance requirements will vary depending on the size of your company and how you process and store the applicable data. If your company’s website actively targets EU citizens (known as data subjects) for marketing or monitoring, then your organization must be compliant. 

If you process EU citizen data for another business, but don’t actually collect the data from EU citizens directly, the compliance details are somewhat different. That’s because under the letter of the law, you are a data processor, rather than a data controller. Still, you will face compliance obligations. 

The language in the GDPR guarantees data subjects with eight rights. Those businesses covered by the GDPR must then be able to provide those rights to be fully compliant.

What are the GDPR enforcement penalties?

GDPR noncompliance ins’t likely to shut down your company, but the enforcing authority (any privacy regulator in an EU member state) is able to levy fines against your organization no matter where the company is based. These fines can be up to 4 percent of annual global revenue or up to 20 million euros, whichever is the higher amount. 

Noncompliance can also cause any assets your company owns in the EU to be seized, and law enforcement may be called upon to cooperate with the GDPR in taking legal action against your company.

Does GDPR apply to EU citizens living in the U.S.?

Not necessarily. The requirements of the GDPR apply to the physical location of the person whose data is being used, rather than their citizenship. If an EU citizen purchases an item while traveling or living in the United States and their data is then stored by an American company, in U.S.-based computer servers — the GDPR would not apply. 

Conversely, if an American citizen is living or staying in the EU for an extended period, the GDPR can apply to the usage of his or her data. U.S. citizens who are living in the United States are not subject to these requirements.

Does the GDPR require audits?

Audits are not legally required by the GDPR. The language used in the GDPR requires that companies review their data and controls on a regular basis, but does not explicitly use the word “audit.” 

Performing regular audits, however, is extremely beneficial for any company that needs to comply with the GDPR. GDPR audits can examine your processes in depth, and assure that each of the eight GDPR rights are provided by your system. 

Also, the most important byproduct of a successful audit is documentation. Documented proof of audits and other compliance efforts can sometimes reduce penalties or fines in the event of a data breach. Moreover, regular assessments of your system and controls can help keep breaches from happening to begin with.  

If you’re struggling with your GDPR compliance efforts, ZenGRC has the solution. Our software will streamline and organize the compliance process, and includes automation that can save you time and resources. Our experts are knowledgeable on all compliance frameworks and can help you determine where you’re covered and where changes need to be made. Schedule a demo today to learn more about how ZenGRC can keep your company GDPR compliant.

Learn More

Buyers Guide to ZenGRC

Read more

What your organization can and cannot do under GDPR

Read more

Get the Facts About ZenGRC

Read more