GDPR compliance guide for businesses in the US

At CMIT Solutions, we work with US small and medium businesses every day that are surprised to learn the EU’s General Data Protection Regulation (GDPR) applies to them.

If your business collects, stores, or processes data belonging to EU residents, GDPR applies to you, whether you operate from New York, Dallas, or anywhere else in the US. Non-compliance can result in fines of up to €20 million or 4% of annual global turnover, whichever is greater.

Many US businesses assume GDPR only matters to large corporations with offices in Europe. In practice, the regulation’s extraterritorial reach means that a US-based company running a website, managing an email list, or delivering services to EU customers can be fully within scope. And because GDPR compliance is built on technical controls as much as legal processes, cybersecurity uncertainty is not just a security risk, it is a compliance liability.

This guide explains what GDPR requires, who it applies to, and what your business needs to do to stay on the right side of it.

Explore our business data compliance solutions to see how CMIT Solutions supports US businesses with GDPR and beyond.

 

What is GDPR and why does it apply to US businesses?

GDPR is an EU law that came into effect on May 25, 2018. It sets out how organizations must collect, handle, protect, and store the personal data of individuals located in the European Union. What makes it unusual is its reach: the regulation applies based on where the data subject is located, not where the organization processing their data is based.

For US businesses, the trigger is straightforward. If you offer goods or services to EU residents, or if you monitor the behavior of people within the EU, including through website analytics, cookies, or targeted advertising, you are likely within scope. This applies regardless of your company size, industry, or whether you have a physical presence in Europe.

The regulation replaced 28 different national data protection laws across EU member states, creating a single unified framework. For US businesses, that means one consistent set of rules applies across all EU countries, rather than a patchwork of local requirements.

Key GDPR terms every US business needs to know

GDPR uses specific legal terminology that determines how responsibilities are assigned. Misidentifying your organization’s role under the regulation is a common compliance mistake, and getting it right from the start is something CMIT Solutions helps businesses do before any other step.

• Data subject: Any individual located in the EU whose personal data is being collected or processed. This could be a customer, a website visitor, a newsletter subscriber, or a job applicant.
• Personal data: Any information that can identify a person, directly or indirectly. This includes names, email addresses, IP addresses, location data, cookie identifiers, and biometric data. It is broader than most US businesses expect.
• Data controller: The organization that determines why and how personal data is processed. If you decide what customer data to collect and what to do with it, you are the controller.
• Data processor: An organization that processes data on behalf of a controller. Cloud storage providers, email marketing platforms, and payroll processors often act as processors for their clients.
• Processing: Almost any operation performed on personal data counts, including collection, storage, use, analysis, sharing, and deletion.
• Data Protection Officer (DPO): A designated individual responsible for overseeing GDPR compliance. Not every organization is required to appoint one, but it is mandatory for certain types of processing activity.

A single organization can be both a controller and a processor in different contexts. A marketing agency, for example, may act as a processor when handling client customer lists but as a controller when managing its own employee data.

CMIT Solutions can help you map your organization’s role accurately and build your compliance program on the right foundation.

Does GDPR apply to your US business?

Two tests determine whether your organization falls within GDPR’s scope: material scope and territorial scope. If either applies to your data processing activities, GDPR obligations apply to those activities.

• Material scope covers the processing of personal data carried out wholly or partly by automated means. It also applies to manual processing where data forms part of a filing system. In practice, this captures nearly every way a modern business handles customer or employee information.
• Territorial scope extends GDPR to organizations outside the EU in two situations. The first is where an organization is established in the EU. The second, and the one most relevant to US businesses, is where an organization, regardless of location, offers goods or services to EU residents or monitors their behavior.

Practical examples of US businesses that are likely within scope include:

• An e-commerce retailer whose website accepts orders and ships to EU countries
• A SaaS company with EU-based subscribers or users
• A professional services firm with EU clients whose data is held in a US CRM
• A website that uses analytics tools or advertising cookies that track EU visitors
• A staffing agency that processes applications from EU-based candidates

If you are uncertain whether your business meets this threshold, the right starting point is a data audit. The European Data Protection Board has published guidelines on territorial scope that clarify where the line falls, and CMIT Solutions can help you assess your exposure against that standard.

The seven principles of GDPR

GDPR is built on seven core principles, set out in Article 5 of the regulation. These principles govern how personal data must be handled at every stage. They are not optional guidelines; they are legal requirements, and organizations must be able to demonstrate they are following them.

Principle	What it means in practice
Lawfulness, fairness, and transparency	You must have a valid legal basis for processing. Data subjects must be told how their data is used, in clear language.
Purpose limitation	Data collected for one purpose cannot be repurposed for something unrelated without a new legal basis or explicit consent.
Data minimization	Collect only the data you actually need. If a field is not necessary for your stated purpose, you should not be asking for it.
Accuracy	Personal data must be kept up to date and corrected when it is wrong. Inaccurate data must be erased or rectified promptly.
Storage limitation	Data should not be kept longer than necessary. You need retention schedules and a process for deleting data that is no longer needed.
Integrity and confidentiality	Appropriate technical and organizational security measures must protect data against unauthorized access, loss, or destruction. CMIT Solutions helps businesses meet this requirement through layered cybersecurity controls, including encryption, access management, and continuous monitoring across their entire IT environment.
Accountability	You must be able to demonstrate compliance, not just claim it. This means documentation, policies, training records, and audit trails.

The accountability principle deserves particular attention for US businesses. GDPR enforcement is not passive. Regulators expect organizations to proactively document their compliance, and the burden of proof sits with the organization, not the regulator.

CMIT Solutions helps businesses build and maintain security standards that exceed baseline expectations, giving organizations the documented posture regulators expect to see.

Lawful bases for processing personal data

Before your organization can process personal data, it must identify a lawful basis for doing so. GDPR sets out six valid bases under Article 6. Choosing the wrong basis, or failing to document it, is one of the most frequent compliance failures.

• Consent: The individual has given clear, specific, and freely given agreement to the processing. Consent must be as easy to withdraw as it is to give. Pre-ticked boxes and bundled opt-ins do not meet the standard.
• Contractual necessity: Processing is required to perform a contract with the individual, or to take steps at their request before entering into one. This commonly applies to order fulfillment or service delivery.
• Legal obligation: Processing is necessary to comply with a legal requirement your organization is subject to. This might include tax record-keeping or employment law obligations.
• Vital interests: Processing is necessary to protect someone’s life. This is a narrow basis, typically limited to emergency medical scenarios.
• Public task: Processing is necessary for a task carried out in the public interest or under official authority. This is rarely applicable to private-sector US businesses.
• Legitimate interests: Processing is necessary for your organization’s legitimate interests, provided those interests are not overridden by the rights and freedoms of the data subject. This requires a documented balancing test.

For most US SMBs, the relevant bases will be consent, contract, legal obligation, and, in some cases, legitimate interests. Relying on legitimate interests requires particular care: a balancing test must be conducted and documented, and the data subject’s right to object always applies. 

CMIT Solutions helps businesses work through this process accurately, so the lawful basis for each processing activity is correctly identified and on record.

What counts as personal data under GDPR?

Personal data under GDPR is broader than most US businesses expect, and significantly broader than the definition applied under many US state privacy laws. Any information that identifies or can be used to identify a living individual qualifies, including indirect identifiers.

Common examples include full names, email addresses, phone numbers, postal addresses, national identification numbers, and financial account details. The definition also extends to IP addresses, cookie identifiers, device IDs, location data, photographs, and behavioral data collected through web analytics.

In certain contexts, even job titles or workplace information can constitute personal data if they identify a specific individual.

GDPR also creates a separate, stricter category for special category data: information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for identification, health data, and data about a person’s sex life or sexual orientation.

Processing special category data is prohibited unless one of a narrow set of exceptions applies, including explicit consent or specific legal grounds.

For US businesses in healthcare, this intersects directly with existing obligations. A company subject to both HIPAA and GDPR will find that health data triggers requirements under both frameworks.

The HHS Office for Civil Rights provides guidance on HIPAA obligations, but GDPR applies in addition where EU data subjects are involved, and the two frameworks do not align perfectly.

CMIT Solutions provides cybersecurity-informed recommendations that account for both sets of requirements, so healthcare organizations are not left navigating that overlap alone.

The eight rights of data subjects

GDPR gives individuals in the EU a set of enforceable rights over their personal data. Your organization must be able to respond to requests to exercise these rights, typically within one month of receiving them. Failing to do so is itself a compliance violation.

• Right to be informed: Individuals must be told what data you collect, why you collect it, how long you keep it, and who you share it with. This is usually delivered through a privacy notice.
• Right of access: Individuals can request a copy of the personal data you hold about them. This is known as a Subject Access Request (SAR).
• Right to rectification: Individuals can ask you to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): Individuals can request deletion of their data in certain circumstances, such as when the data is no longer necessary for the original purpose.
• Right to restrict processing: Individuals can request that you pause processing of their data, for example, while a dispute about accuracy is resolved.
• Right to data portability: Individuals can request their data in a structured, machine-readable format so they can transfer it to another organization.
• Right to object: Individuals can object to processing based on legitimate interests or for direct marketing purposes. For marketing, this objection is absolute.
• Right to object to automated decision-making: Individuals can request human review of decisions made solely through automated processing, including profiling, that significantly affect them.

Building a reliable process for handling these requests is essential for any US business within GDPR’s scope. CMIT Solutions helps organizations put that process in place, including maintaining the central data register that makes fulfilling rights requests manageable rather than disruptive.

GDPR compliance requirements: what your business must do

Meeting GDPR obligations requires both technical controls and organizational processes. For many SMBs, this is where growing IT complexity becomes a real problem. The regulation does not prescribe specific technologies, but it does require that your measures be appropriate to the risk level of your processing activities, and that you can demonstrate it.

Data mapping and a processing register. Article 30 of GDPR requires most organizations to maintain records of their processing activities. This means documenting what data you hold, where it came from, what you do with it, who you share it with, and how long you keep it. For US SMBs, this is often the first practical step in building a compliance program.

Privacy notices. You must provide clear, plain-language information to data subjects about how you process their data. Privacy notices need to be accessible, not buried in terms and conditions, and must be updated whenever your processing activities change.

Consent management. Where consent is your lawful basis, your consent mechanisms must meet GDPR’s standard: specific, informed, freely given, and recorded. Cookie banners on websites that serve EU visitors are a visible compliance requirement, but consent management extends to email marketing, contact forms, and any other touchpoint where data is collected.

Data breach response. GDPR requires organizations to notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that poses a risk to individuals’ rights. Where the breach is likely to cause high risk to individuals, those affected must also be notified directly.

Having an incident response plan in place before a breach occurs is not optional; it is a compliance requirement. CMIT Solutions supports businesses with continuous monitoring and threat detection so that incidents are identified quickly and the 72-hour window is manageable rather than a crisis.

A compliance gap that goes undetected can quickly become an unplanned operational disruption. Use our IT downtime calculator to see what a security incident or compliance failure could cost your business.

 

Data Protection Impact Assessments (DPIAs). Where processing is likely to result in a high risk to individuals, organizations must carry out a DPIA before starting that processing. High-risk activities include large-scale processing of special category data, systematic monitoring, and new technologies, including AI-powered tools that businesses are adopting at a growing rate.

CMIT helps organizations evaluate those risks before deployment, so new technology is adopted with confidence rather than compliance exposure.

Vendor management. If you use third-party processors, including cloud services, CRM platforms, or IT support providers, GDPR requires you to have a written Data Processing Agreement (DPA) in place with each of them.

Multiple vendors without clearly defined agreements create accountability gaps that regulators will identify. That agreement must set out the processor’s obligations, including security requirements and restrictions on how they use the data.

Cross-border data transfers. Transferring personal data from the EU to the US requires a legal mechanism. The EU-US Data Privacy Framework, adopted in 2023, provides one route for organizations that self-certify under the framework. Standard Contractual Clauses (SCCs) are another widely used mechanism.

CMIT Solutions helps businesses confirm that their data transfers rely on an approved mechanism and flags where that position needs reviewing as regulatory guidance evolves.

Many businesses assume their cyber insurance will cover them after an attack, but insurers increasingly require specific security controls before issuing or renewing coverage.

Use our insurance readiness assessment to see whether your current security environment aligns with modern insurer expectations.

 

GDPR and US privacy law: how the frameworks compare

GDPR does not replace US privacy obligations, and US privacy laws do not satisfy GDPR. If your business is subject to both, you are operating under two separate legal frameworks that share some similarities but differ in important ways.

GDPR is one of several data compliance frameworks US businesses may need to navigate simultaneously, and it is rarely the only one.

💡 Additional reading: data compliance regulations

Area	GDPR	US frameworks (CCPA, HIPAA, FTC)
Scope	Applies based on data subject location (EU residents)	Applies based on organization type, size, or data type
Consent standard	Opt-in required in most cases	Opt-out is often sufficient (CCPA); HIPAA uses a narrower authorization model
Breach notification	72 hours to supervisory authority	Varies by state and sector; HIPAA requires notification within 60 days
Individual rights	Eight defined rights	Rights vary by law; CCPA grants access, deletion, and opt-out rights
Penalties	Up to €20 million or 4% of global turnover	Varies; HIPAA fines can reach $1.9 million per violation category per year
Enforcement body	National supervisory authorities (EU)	FTC, HHS OCR, state attorneys general

For businesses subject to the California Consumer Privacy Act (CCPA), there is more common ground with GDPR. Both give individuals rights of access and deletion and require transparency about data practices. However, GDPR’s lawful basis requirement, its stricter consent standard, and its extraterritorial reach make it a more demanding framework overall.

The California Privacy Protection Agency provides resources on CCPA obligations relevant to businesses operating under both regimes. For businesses that also handle payment card data, PCI compliance introduces a further set of technical security requirements that sit alongside both GDPR and CCPA.

CMIT Solutions helps businesses operating across multiple frameworks identify where controls overlap and where each requires something distinct, so nothing falls through the gaps.

Special considerations for specific industries

Certain industries face heightened GDPR compliance demands because of the type of data they handle or the nature of their customer relationships. US businesses in these sectors need to consider how GDPR interacts with their existing obligations, and CMIT Solutions has direct experience supporting organizations across all of them.

Healthcare. Health data is a special category of data under GDPR, subject to stricter processing conditions. US healthcare organizations that serve EU patients or use digital health tools that collect data from EU users must satisfy GDPR’s requirements for explicit consent or another valid special category ground, in addition to HIPAA requirements.

Hospitality. Hotels, travel platforms, and reservation systems routinely collect personal data from EU guests, including payment information, location data, and behavioral preferences. GDPR applies to this data from the point of collection, including through booking engines and loyalty programs.

Professional services. Law firms, accounting practices, and consulting businesses often hold sensitive personal and financial data on behalf of clients. Where those clients include EU individuals or entities, GDPR applies to the personal data processed in the course of delivering services.

Government contracting. Federal contractors and subcontractors that handle data involving EU nationals, including in international programs, research projects, or multinational supply chains, may find GDPR applies to certain processing activities alongside US federal requirements.

Businesses pursuing or maintaining Department of Defense contracts also face CMMC obligations that intersect with broader data protection requirements.

Technology and SaaS. Software companies serving EU customers are among the most clearly within GDPR scope. Terms of service, data processing agreements with customers, and technical security controls are all areas where compliance gaps are frequently identified.

Learn how our CMMC compliance services help government contractors meet overlapping federal and data protection requirements.

 

GDPR penalties and enforcement: what US businesses face

GDPR enforcement is active and the fines are substantial. The regulation provides for two tiers of administrative fines. Less serious infringements can attract fines of up to €10 million or 2% of annual global turnover.

More serious violations, including failures to obtain valid consent, processing data without a lawful basis, or breaching data subject rights, can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher in each case.

Enforcement is carried out by national supervisory authorities in EU member states. The European Data Protection Board coordinates enforcement across member states and issues guidance on how the regulation should be applied. Any supervisory authority can investigate organizations that process data of residents in their jurisdiction.

Fines are not the only consequence. Supervisory authorities can issue reprimands, impose temporary or permanent bans on processing, and require organizations to bring their practices into compliance within a set timeframe. Reputational damage from a public enforcement action can also have significant commercial consequences, particularly for businesses that depend on customer trust.

GDPR enforcement against non-EU entities is possible, and regulators can coordinate with US authorities or pursue enforcement indirectly through business partners or EU-based processors.

CMIT Solutions gives businesses the backup and recovery capabilities, documented incident response procedures, and layered protection across systems and users that regulators look for when assessing whether an organization took its obligations seriously.

A practical GDPR compliance checklist for US SMBs

Building GDPR compliance from scratch can feel overwhelming for a small or mid-sized business without a dedicated legal or compliance team. IT resources that cannot scale with business growth make it harder still.

Breaking the process into concrete steps makes it manageable, and CMIT Solutions can support your business at each stage.

1. Determine whether GDPR applies. Assess whether you process personal data of EU residents through your website, products, services, or employment activities.
2. Conduct a data audit. Map what personal data you hold, where it came from, where it is stored, who has access to it, and how long you keep it.
3. Document your lawful bases. For each processing activity, identify and document the lawful basis you are relying on under Article 6.
4. Update privacy notices. Ensure your privacy policy accurately reflects your current data processing activities and meets GDPR’s transparency requirements.
5. Review consent mechanisms. Audit your contact forms, email sign-ups, and cookie banners to ensure consent meets GDPR’s standard.
6. Establish a data subject rights process. Create a documented procedure for receiving, verifying, and responding to SARs and other rights requests within the required timeframe.
7. Review vendor agreements. Identify all third-party processors and confirm that written DPAs are in place with each of them.
8. Establish a data breach response plan. Define how you will detect, contain, assess, and report breaches within the 72-hour notification window.
9. Assess cross-border transfer mechanisms. Confirm that any transfers of personal data from the EU to the US rely on an approved mechanism, such as the EU-US Data Privacy Framework or SCCs.
10. Train your team. Staff who handle personal data should understand what GDPR requires of them and what to do when they encounter a potential compliance issue.
11. Assess whether you need a DPO. If your core activities involve large-scale processing of special category data or systematic monitoring, a DPO may be required.

2025 GDPR updates US businesses should know about

GDPR has been in force since 2018, but enforcement and regulatory expectations continue to evolve. EU regulators are actively working on improving how cross-border cases are handled, with a focus on creating more consistent timelines, clearer procedures, and stronger coordination between national supervisory authorities.

At the same time, broader EU digital regulation continues to develop alongside GDPR, including updates affecting data subject rights processes, enforcement consistency, and areas such as cookie consent under the ePrivacy framework.

Many of these developments are still in progress rather than finalized law, but the direction is clear: expectations are becoming more structured, enforcement is becoming more coordinated, and businesses are expected to demonstrate stronger accountability over time.

CMIT Solutions helps businesses stay aligned with these evolving requirements through security-first IT, continuous monitoring, and structured processes that support compliance over time.

By combining local support with national expertise, we help organizations maintain visibility, reduce risk, and adapt as regulatory expectations continue to develop.

CMIT Solutions helps US businesses stay ahead of GDPR

Achieving GDPR compliance is not a one-time project, and for most SMBs, the ongoing demands of maintaining it, managing vendor agreements, responding to data subject requests, updating policies as your business changes, and keeping pace with regulatory developments require consistent attention and the right IT infrastructure behind it.

Without trusted long-term technology guidance, compliance can drift as the business grows and its IT environment becomes more complex.

At CMIT Solutions, we act as trusted technology advisors, helping businesses across healthcare, professional services, hospitality, and government contracting build the technical foundations that GDPR compliance depends on.

Our security-first approach means your IT environment is designed, monitored, and managed with protection built in by default, not bolted on after the fact.

Our nationwide network of 900+ IT and cybersecurity professionals brings enterprise-level capabilities to every engagement, delivered through responsive, locally invested relationships. With more than 30 years of experience working with SMBs, we provide strategic guidance that turns compliance from an ongoing burden into a foundation for long-term growth.

To see what that looks like in practice, our Optyx case study shows how CMIT Solutions helped a multi-location business overcome inconsistent security practices and limited internal monitoring by implementing standardized security tools, centralized monitoring, and ongoing employee training, resulting in a stronger cybersecurity posture, improved system reliability, and fewer security incidents.

Whether your business is assessing its GDPR exposure for the first time or working to address gaps identified in an audit, we can guide you to a stronger, more defensible position. 

To speak with a member of our team, call us at (800) 399-2648 or contact us to schedule a consultation.

 

Frequently asked questions

Can my US business be fined under GDPR even though we have no offices in Europe?

Yes, a US business can be fined under GDPR without any European presence. GDPR applies to any organization that offers goods or services to EU residents or monitors their behavior, regardless of where that organization is based. Regulatory cooperation between EU authorities and US agencies has made enforcement against non-EU entities increasingly viable.

Do we have to store our EU customers’ data on servers located inside the EU?

No, GDPR does not require data to be physically stored within EU borders. It requires that any transfer of personal data from the EU to the US is covered by an approved legal mechanism, such as the EU-US Data Privacy Framework or Standard Contractual Clauses, which ensure the data receives equivalent protection wherever it is stored.

How quickly does my business need to respond after discovering a data breach affecting EU residents?

You must notify the relevant supervisory authority within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms. Where the risk to individuals is high, those affected must also be notified directly without undue delay. Having a documented incident response plan in place before a breach occurs is what makes that 72-hour window achievable.

Does GDPR apply to the personal data we hold about our EU-based employees, not just our customers?

Yes, GDPR covers any personal data relating to EU residents, including employees, contractors, and job applicants. US businesses that employ EU-based staff or recruit from within the EU must apply GDPR standards to HR systems, payroll platforms, applicant tracking tools, and any other system holding that data.

What is a Data Processing Agreement and does my business need one with every vendor we use?

A Data Processing Agreement (DPA) is a legally required contract between your business and any third party that processes personal data on your behalf. If you share EU personal data with a cloud provider, CRM platform, IT support firm, or any other vendor, a DPA must be in place. It must specify the processor’s obligations, security requirements, and restrictions on data use. Operating without one is an auditable compliance gap.