GDPR Compliance: What You Need to Know

One of the most common questions we get at Agency from US-based companies is: "Do we actually need to worry about GDPR?" The answer, in almost every case, is yes. If you serve customers in the EU, collect data from EU residents through your website, or process data on behalf of companies that have EU customers, GDPR applies to you regardless of where your servers are located or where your company is incorporated. What we tell clients is that GDPR is not an EU-only regulation — it is a data protection standard with global reach, and understanding it is essential for any company with international ambitions.

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law that took effect on May 25, 2018. It replaced the 1995 Data Protection Directive and established a unified framework for how personal data of EU residents must be handled. For US companies, GDPR introduced significant obligations, substantial penalties, and a fundamentally different approach to data protection than what most American organizations were accustomed to.

This guide covers the key GDPR principles, the practical compliance steps US companies need to take, and how GDPR relates to other frameworks like SOC 2 and ISO 27001 that you may already be pursuing.

Key GDPR Principles

GDPR is built on seven foundational principles that govern all processing of personal data. Understanding these principles is essential because they inform every specific requirement in the regulation.

Lawfulness, fairness, and transparency. You must have a valid legal basis for processing personal data, process it fairly, and be transparent with individuals about how their data is used.

Purpose limitation. Data must be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes.

Data minimization. You should collect only the personal data that is adequate, relevant, and limited to what is necessary for your stated purposes.

Accuracy. Personal data must be accurate and, where necessary, kept up to date. You must take every reasonable step to ensure that inaccurate data is rectified or erased without delay.

Storage limitation. Personal data should be kept in a form that permits identification of individuals for no longer than is necessary for the purposes for which it is processed.

Integrity and confidentiality. Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Accountability. You must be able to demonstrate compliance with all of the above principles. This is the principle that transforms GDPR from a set of aspirations into an operational obligation.

What we tell clients is that the accountability principle is what makes GDPR fundamentally different from earlier data protection laws. It is not enough to comply — you must be able to prove you comply. This means documentation, policies, records of processing activities, and evidence of your compliance efforts.

Lawful Bases for Processing

Under GDPR, you must have a valid legal basis for every instance of personal data processing. There are six lawful bases, and selecting the right one has significant implications for your obligations and individuals' rights.

Consent

The individual has given clear, affirmative consent to the processing of their personal data for one or more specific purposes. What we tell clients is that GDPR consent is far stricter than what most US companies are used to. Consent must be freely given (no pre-checked boxes), specific (tied to a defined purpose), informed (the individual knows exactly what they are consenting to), and unambiguous (requires a clear affirmative action). Consent must also be as easy to withdraw as it is to give.

Contractual Necessity

Processing is necessary for the performance of a contract with the individual or to take steps at their request prior to entering into a contract. In our experience, this is the lawful basis that applies to most B2B SaaS relationships — you process a customer's data because it is necessary to provide the service they contracted for.

Legal Obligation

Processing is necessary for compliance with a legal obligation to which your organization is subject.

Vital Interests

Processing is necessary to protect someone's life. This basis is rarely applicable in a technology context.

Public Interest

Processing is necessary for the performance of a task carried out in the public interest. This basis primarily applies to public authorities.

Legitimate Interests

Processing is necessary for your organization's legitimate interests or a third party's legitimate interests, provided those interests are not overridden by the individual's rights and freedoms. What we recommend is conducting a legitimate interest assessment (LIA) before relying on this basis, documenting the balancing test between your interests and the individual's rights.

In our experience, the most common mistake US companies make is defaulting to consent for everything. What we tell clients is that consent is often not the most appropriate lawful basis — contractual necessity and legitimate interests cover most B2B processing activities, and they do not create the withdrawal complications that consent does.

Data Subject Rights

GDPR grants individuals (data subjects) a comprehensive set of rights over their personal data. Your organization must have processes to receive, validate, and respond to these requests within the required timelines.

Right of access. Individuals can request confirmation of whether you process their data and, if so, a copy of that data along with supplementary information about the processing. You must respond within one month.

Right to rectification. Individuals can request correction of inaccurate personal data or completion of incomplete data.

Right to erasure (right to be forgotten). Individuals can request deletion of their personal data under specific circumstances, including when the data is no longer necessary for its original purpose or when they withdraw consent.

Right to restriction of processing. Individuals can request that you limit the processing of their data in certain situations, such as when they contest the accuracy of the data.

Right to data portability. Individuals can request their data in a structured, commonly used, machine-readable format and have it transmitted to another controller.

Right to object. Individuals can object to processing based on legitimate interests or public interest, including profiling. When processing is for direct marketing, the objection right is absolute.

What we recommend is building a data subject request (DSR) process before you need one. This includes a clear intake mechanism (typically a dedicated email address or form), a verification process to confirm the requester's identity, defined workflows for each right type, a tracking system to ensure responses are delivered within the one-month deadline, and documentation of all requests and responses.

In our experience, companies that build their DSR process reactively — in response to their first request — end up scrambling and risk missing the deadline. The companies that handle DSRs smoothly are those that implemented the process during their initial GDPR compliance work.

Data Protection by Design and Default

GDPR Article 25 requires data protection by design and by default. This means integrating data protection considerations into the design phase of systems, products, and business processes — not bolting them on after the fact.

What we tell clients is that data protection by design translates into practical engineering and product decisions. Collect only the personal data you actually need (data minimization). Pseudonymize or anonymize data wherever possible. Build retention schedules into your systems so data is automatically deleted when no longer needed. Default privacy settings should be the most protective option — users should opt in to less privacy, not opt out.

Data Protection Impact Assessments

When processing is likely to result in a high risk to individuals' rights and freedoms, GDPR requires a Data Protection Impact Assessment (DPIA). What we recommend is conducting DPIAs for any new processing activity that involves large-scale processing of sensitive data, systematic monitoring of individuals, automated decision-making with significant effects, new technologies with unknown privacy implications, or processing that could deny individuals access to services.

A DPIA should describe the processing and its purposes, assess the necessity and proportionality of the processing, identify and assess risks to individuals, and describe the measures planned to address those risks. In our experience, DPIAs are most effective when they are integrated into your product development process — not conducted as an afterthought.

Breach Notification

GDPR imposes strict breach notification requirements. When a personal data breach occurs, you must notify the relevant supervisory authority within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk to individuals' rights and freedoms) and notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms.

The notification to the supervisory authority must include the nature of the breach, categories and approximate number of individuals affected, contact details for your data protection officer, likely consequences of the breach, and measures taken or proposed to address the breach.

What we tell clients is that the 72-hour clock starts from awareness, not from the incident itself. This makes incident detection capabilities critical. In our experience, organizations with centralized logging and automated alerting are far better positioned to meet the 72-hour requirement than those relying on manual detection.

For processors (which includes most B2B SaaS companies acting under a data processing agreement), the obligation is to notify the controller without undue delay. Your data processing agreements should define specific notification timelines and procedures.

International Data Transfers

One of the most complex areas of GDPR compliance for US companies is international data transfers. GDPR restricts the transfer of personal data outside the European Economic Area (EEA) to countries that do not provide an adequate level of data protection — and the United States is not on the EU's adequacy list.

EU-US Data Privacy Framework

The EU-US Data Privacy Framework (DPF), which became effective in July 2023, provides a mechanism for US companies to receive personal data from the EU. Participating companies self-certify their adherence to DPF principles through the US Department of Commerce. What we recommend is that US companies that process EU personal data evaluate DPF certification as their primary transfer mechanism.

Standard Contractual Clauses

Standard Contractual Clauses (SCCs) are pre-approved contractual terms issued by the European Commission that provide appropriate safeguards for data transfers. In our experience, SCCs remain the most widely used transfer mechanism for companies that have not certified under the DPF or need a complementary mechanism. SCCs must be incorporated into your data processing agreements with EU clients or partners.

Transfer Impact Assessments

Since the Schrems II decision, organizations using SCCs are expected to conduct transfer impact assessments (TIAs) evaluating whether the legal framework of the destination country provides adequate protection. What we tell clients is that a TIA should assess the specific data involved, the transfer circumstances, and any supplementary measures needed (such as encryption or pseudonymization) to ensure equivalent protection.

The Relationship Between GDPR and SOC 2/ISO 27001

GDPR does not exist in isolation for most of the companies we work with. Many are simultaneously pursuing SOC 2, ISO 27001, or both. Understanding the overlaps and differences helps you build an efficient, integrated compliance program.

GDPR and SOC 2

SOC 2 with the Privacy Trust Service Criteria aligns significantly with GDPR requirements. The overlapping areas include data classification and handling, access controls and authentication, monitoring and logging, incident response and breach notification, vendor and third-party management, and data retention and disposal.

However, SOC 2 does not cover several GDPR-specific requirements: lawful basis documentation, data subject rights management, DPIAs, specific consent mechanisms, and international data transfer safeguards. What we recommend is using SOC 2 as your technical security foundation and layering GDPR-specific requirements on top.

GDPR and ISO 27001

ISO 27001 provides a stronger alignment with GDPR than SOC 2, particularly through Annex A controls related to data protection, privacy, and information classification. ISO 27001 certification demonstrates a systematic approach to information security management that supports GDPR's accountability principle.

In our experience, companies that have ISO 27001 certification find their GDPR compliance effort is approximately 50 to 60 percent lighter because the ISMS framework, risk assessment methodology, and control environment already exist.

Practical Compliance Steps for US Companies

Based on our work with dozens of US companies navigating GDPR, here are the steps we recommend:

Step 1 — Determine applicability. Map your data flows to identify whether you process personal data of EU residents. If you serve EU customers, have EU website visitors, or process data on behalf of companies with EU operations, GDPR applies.

Step 2 — Appoint a representative (if required). Organizations not established in the EU that process EU personal data must designate a representative in the EU (Article 27), unless processing is occasional and does not include large-scale processing of sensitive data.

Step 3 — Create your Records of Processing Activities (ROPA). Article 30 requires documented records of all processing activities. What we tell clients is that the ROPA is your GDPR equivalent of an asset inventory — it is the foundation document that auditors and supervisory authorities examine first.

Step 4 — Establish lawful bases. For each processing activity, identify and document the lawful basis. Review consent mechanisms to ensure they meet GDPR standards.

Step 5 — Implement data subject rights processes. Build the intake, verification, fulfillment, and documentation workflow for all GDPR rights.

Step 6 — Address international transfers. Evaluate DPF certification, implement SCCs, and conduct transfer impact assessments as needed.

Step 7 — Implement technical and organizational measures. This is where your SOC 2 or ISO 27001 program provides significant leverage — access controls, encryption, logging, incident response, and vendor management controls serve both your security framework and GDPR.

Step 8 — Conduct DPIAs for high-risk processing. Identify processing activities that trigger DPIA requirements and complete assessments before the processing begins.

Step 9 — Establish breach notification procedures. Define your 72-hour notification process, including detection, assessment, escalation, and authority notification workflows.

Enforcement and Fines

GDPR enforcement is real and substantial. The maximum penalties are up to 20 million euros or 4 percent of annual global turnover, whichever is higher, for the most serious violations. Supervisory authorities across EU member states have been actively enforcing GDPR since 2018, with cumulative fines exceeding 4 billion euros.

What we tell clients is that enforcement is not limited to large companies. Supervisory authorities have issued fines against small and mid-size organizations as well. The most commonly penalized violations include insufficient lawful basis for processing, inadequate technical and organizational security measures, insufficient transparency, failure to respect data subject rights, and non-compliance with data transfer requirements.

In our experience, the reputational and commercial impact of a GDPR enforcement action often exceeds the financial penalty. Enterprise customers conducting vendor due diligence will discover enforcement actions, and the resulting trust damage can be more costly than the fine itself.

Key Takeaways

• GDPR applies to US companies that serve EU customers, collect data from EU residents, or process data on behalf of organizations with EU operations — geography of your servers is irrelevant.
• What we recommend is identifying the correct lawful basis for each processing activity rather than defaulting to consent — contractual necessity and legitimate interests cover most B2B processing and avoid the complications of consent withdrawal.
• In our experience, the 72-hour breach notification requirement is the provision that catches companies off guard most often — build your detection and notification processes before a breach occurs.
• Build data subject rights processes proactively, including intake, verification, fulfillment, and documentation workflows — the one-month response deadline leaves no room for ad hoc approaches.
• What we tell clients is that GDPR compliance is most efficient when layered on top of an existing security framework like SOC 2 or ISO 27001, which covers 50 to 70 percent of the technical requirements.
• International data transfers require active management through the EU-US Data Privacy Framework, Standard Contractual Clauses, or both — this is not a set-and-forget area of compliance.