GDPR Isn't Just for Europe: How It Affects Your Business Globally
Understanding GDPR's extraterritorial reach and its impact on businesses worldwide — from data processing requirements to practical compliance steps for non-EU companies.
"We're not based in Europe, so GDPR doesn't apply to us."
That's one of the most expensive assumptions a business can make. Companies in the US, Asia, Latin America, and everywhere else have learned this the hard way — through enforcement actions, fines, and costly last-minute compliance scrambles.
The General Data Protection Regulation (GDPR) has an intentionally long arm. If your business touches the personal data of anyone in the European Union, there's a very good chance you need to comply. Let's break down exactly how this works and what you should do about it.
The Myth: "GDPR Is a European Law for European Companies"
When GDPR took effect on May 25, 2018, many businesses outside the EU treated it as someone else's problem. The logic seemed simple enough — European regulation, European companies.
That logic is wrong.
GDPR was specifically designed to protect EU residents' data regardless of where the company processing that data is located. The regulation follows the data, not the company's mailing address. This is called the extraterritorial effect, and it's spelled out clearly in Article 3 of the regulation.
Article 3: The Extraterritorial Reach Explained
Article 3 of the GDPR defines the regulation's territorial scope. It applies to organizations in two key scenarios:
Scenario 1: You Have an Establishment in the EU
If your company has any presence in the EU — an office, a subsidiary, a branch — GDPR applies to the processing of personal data carried out "in the context of the activities" of that establishment. This is true even if the actual data processing happens on servers in the United States or Singapore.
Example: A US software company has a sales office in Berlin. Even though customer data is stored on US servers, the processing is connected to the Berlin office's activities. GDPR applies.
Scenario 2: You Don't Have an EU Presence, But You Target EU Residents
This is the part that catches most non-EU businesses off guard. GDPR applies to organizations outside the EU if they:
- Offer goods or services to individuals in the EU (whether paid or free)
- Monitor the behavior of individuals in the EU (tracking, profiling, analytics)
The European Data Protection Board (EDPB) has clarified what "offering goods or services" means. It's not just about having a website accessible from Europe. Indicators include:
| Indicator | Example |
|---|---|
| Using an EU language (other than English) | Website available in German, French, or Italian |
| Accepting EU currency | Pricing displayed in euros |
| Mentioning EU customers | Marketing that references EU countries |
| EU-targeted advertising | Running Google Ads targeting France or Spain |
| EU-specific shipping options | Offering delivery to EU addresses |
| EU top-level domain | Operating a .de, .fr, or .nl website |
Example: A Japanese e-commerce site that ships to Germany, displays prices in euros, and has a German-language option is clearly targeting EU residents. GDPR applies — even though the company has zero European presence.
Example: A US-based mobile app that tracks user behavior through cookies and analytics for users worldwide, including EU users, is monitoring their behavior. GDPR applies.
Which Businesses Actually Need to Comply?
Let's get specific. Here are the types of non-EU businesses that most commonly fall under GDPR:
Definitely in Scope
- SaaS companies with EU customers or users
- E-commerce businesses that ship to or serve EU customers
- Mobile app developers with EU users (especially if using analytics or ad tracking)
- Digital advertising companies that track EU users
- Cloud service providers processing data for EU-based clients
- Freelancers and consultants working with EU clients' personal data
Probably in Scope
- Companies with EU employees (even remote workers)
- Businesses using EU-based subprocessors (e.g., hosting on EU servers)
- Organizations receiving personal data from EU partners
Likely Not in Scope
- Purely local businesses with no EU customers, users, or contacts
- Companies that don't collect personal data from EU residents at all
If you're reading this article and you have a website with global traffic, you should assume at least some GDPR obligations apply to you.
Key GDPR Requirements for Non-EU Businesses
Alright, so GDPR applies to you. What do you actually need to do? Here are the requirements that matter most for businesses outside the EU.
1. Establish a Legal Basis for Processing
You can't just collect and use personal data because you want to. GDPR requires a legal basis for every processing activity. There are six legal bases, but most businesses rely on these three:
| Legal Basis | When It Applies | Example |
|---|---|---|
| Consent | The individual has given clear, affirmative consent | Newsletter signup with opt-in checkbox |
| Contract | Processing is necessary to fulfill a contract | Shipping address to deliver a purchased product |
| Legitimate Interest | Processing is necessary for your legitimate business interest, balanced against the individual's rights | Fraud detection, network security |
Consent under GDPR is strict. Pre-ticked boxes don't count. Bundled consent (forcing users to agree to everything at once) doesn't count. Consent must be freely given, specific, informed, and unambiguous. And users must be able to withdraw consent as easily as they gave it.
2. Respect Data Subject Rights
GDPR gives EU residents a set of rights over their personal data. Your business must be able to honor these requests within one month:
Right of Access (Article 15): Individuals can ask what data you have about them and get a copy of it.
Right to Rectification (Article 16): Individuals can ask you to correct inaccurate data.
Right to Erasure — "Right to Be Forgotten" (Article 17): Individuals can ask you to delete their data. This isn't absolute — you can refuse if you have a legal obligation to keep it — but you need a valid reason.
Right to Data Portability (Article 20): Individuals can request their data in a structured, machine-readable format and transfer it to another service.
Right to Object (Article 21): Individuals can object to processing based on legitimate interest or direct marketing. For direct marketing, you must stop immediately — no exceptions.
Right to Restrict Processing (Article 18): Individuals can ask you to limit how you use their data while disputes are resolved.
These rights aren't optional add-ons. You need processes and systems in place to handle these requests before they arrive.
3. Appoint an EU Representative
Under Article 27, if your organization is not established in the EU but is subject to GDPR, you must appoint a representative in the EU. This representative acts as a contact point for supervisory authorities and data subjects.
There are narrow exceptions — for example, if your processing is occasional, doesn't include special categories of data on a large scale, and is unlikely to result in a risk to individuals' rights. But for most businesses handling EU customer data regularly, a representative is required.
Your EU representative must be located in one of the EU member states where the individuals whose data you process are located.
4. Implement Data Protection by Design and Default
Article 25 requires that you build data protection into your systems from the start — not bolt it on after the fact. This means:
- Collecting only the data you actually need (data minimization)
- Setting privacy-friendly defaults (e.g., opt-out rather than opt-in for non-essential data collection)
- Pseudonymizing or encrypting data where appropriate
- Regularly reviewing and deleting data you no longer need
5. Maintain Records of Processing Activities
Article 30 requires organizations with 250 or more employees — or any organization whose processing is not occasional — to maintain detailed records of their processing activities. In practice, this applies to most businesses. Your records should include:
- What data you collect and why
- Categories of data subjects and personal data
- Who you share data with (including international transfers)
- Data retention periods
- A description of your security measures
6. Report Data Breaches
If you experience a personal data breach that poses a risk to individuals' rights, you must notify the relevant EU supervisory authority within 72 hours of becoming aware of it. If the breach is likely to result in high risk, you must also notify the affected individuals directly.
72 hours is not a lot of time. You need an incident response plan ready before a breach happens.
The Cost of Getting It Wrong
GDPR enforcement is real, and it's not limited to EU-based companies.
Fine Structure
GDPR allows for two tiers of administrative fines:
| Tier | Maximum Fine | Applies To |
|---|---|---|
| Lower tier | Up to €10 million or 2% of global annual turnover (whichever is higher) | Violations of data controller/processor obligations, certification requirements |
| Upper tier | Up to €20 million or 4% of global annual turnover (whichever is higher) | Violations of data processing principles, consent requirements, data subject rights |
"Global annual turnover" means your company's worldwide revenue — not just EU revenue.
Real Enforcement Examples
The fines are not theoretical. Here's a sample of significant GDPR penalties:
- Meta (Ireland): €1.2 billion fine in 2023 for transferring EU user data to the US without adequate safeguards — the largest GDPR fine to date.
- Amazon (Luxembourg): €746 million fine in 2021 for processing personal data in violation of GDPR's data processing principles.
- Google (France): €150 million fine in 2022 for making it difficult for users to refuse cookies compared to accepting them.
- Clearview AI (France/Italy/Greece): Multiple fines totaling over €60 million for scraping facial images of EU residents without consent — the company has no EU presence.
- TikTok (Ireland): €345 million fine in 2023 for violations related to children's data processing.
Notice the Clearview AI case. The company is US-based with no EU offices. The fines were issued anyway.
Beyond Fines
Money isn't the only consequence. GDPR enforcement can result in:
- Orders to stop processing — effectively shutting down your EU operations
- Orders to delete data — potentially losing years of collected information
- Reputational damage — data protection violations make headlines
- Loss of business partners — EU companies increasingly require GDPR compliance from vendors
- Class action lawsuits — GDPR enables individuals and consumer groups to seek compensation
Practical First Steps Toward GDPR Compliance
If you've been putting off GDPR compliance, here's a practical roadmap to get started.
Step 1: Data Mapping
Before you can protect data, you need to know what you have. Conduct a thorough data mapping exercise:
- What personal data do you collect from EU residents?
- Where is it stored?
- Who has access to it?
- Who do you share it with (third parties, subprocessors)?
- How long do you keep it?
- What is the legal basis for each processing activity?
This is the foundation. Everything else builds on it.
Step 2: Update Your Privacy Policy
Your privacy policy must clearly explain, in plain language:
- Who you are and how to contact you (and your EU representative)
- What data you collect and why
- The legal basis for processing
- Who you share data with
- Whether data is transferred outside the EU (and what safeguards are in place)
- How long you retain data
- Data subject rights and how to exercise them
- The right to lodge a complaint with a supervisory authority
Generic, vague privacy policies don't cut it under GDPR. Be specific.
Step 3: Fix Your Consent Mechanisms
Review every place you collect consent:
- Cookie banners: Must allow genuine choice. "Accept All" as the only prominent option is not valid consent. Provide equally prominent "Reject All" or "Manage Preferences" options.
- Email signups: Must be opt-in, not opt-out. No pre-checked boxes.
- Account creation: Separate consent for data processing beyond what's necessary for the service.
Step 4: Build Data Subject Rights Processes
Create clear internal processes for handling data subject requests:
- Designate who handles requests
- Set up a system to verify requester identity
- Establish workflows to respond within the one-month deadline
- Document every request and your response
Step 5: Review Third-Party Data Sharing
If you use third-party tools that process EU personal data (analytics, CRM, email marketing, advertising), you need:
- Data Processing Agreements (DPAs) with each processor
- Verification that international data transfers have proper safeguards (Standard Contractual Clauses, adequacy decisions, etc.)
- Regular assessment of your processors' compliance
Step 6: Prepare for Breaches
Build an incident response plan that includes:
- How to detect and assess breaches
- Who to notify internally
- How to notify the supervisory authority within 72 hours
- Templates for breach notifications
- Communication plans for affected individuals
GDPR and the Global Privacy Landscape
GDPR didn't just change European privacy law — it set the template for data protection worldwide. If you build for GDPR compliance, you'll have a head start on other regulations:
| Regulation | Jurisdiction | Key Similarity to GDPR |
|---|---|---|
| CCPA/CPRA | California, US | Consumer rights, opt-out requirements, penalties |
| LGPD | Brazil | Legal bases for processing, data subject rights, DPO requirement |
| POPIA | South Africa | Consent requirements, data subject rights, breach notification |
| PDPA | Thailand | Consent, purpose limitation, cross-border transfer rules |
| PIPL | China | Consent, data localization, cross-border transfer restrictions |
Investing in GDPR compliance isn't just about avoiding fines. It's building a privacy infrastructure that scales as more countries adopt similar laws.
FAQ
Q: Does GDPR apply if I only have a few EU customers?
A: It depends on whether you're actively targeting EU residents. If you are — through EU-language content, EU currency, EU-targeted advertising — then yes, even a few customers can trigger GDPR. The regulation doesn't set a minimum threshold.
Q: What if I just block EU users from my website?
A: Geo-blocking can work as a strategy, but it needs to be genuinely effective. If EU residents can still access your service and you collect their data, you're still at risk. Also consider whether blocking 450+ million potential customers is really the best business decision.
Q: Do I need a Data Protection Officer (DPO)?
A: A DPO is mandatory if your core activities involve regular and systematic monitoring of individuals on a large scale, or large-scale processing of special categories of data (health, biometrics, etc.). Many non-EU businesses processing EU customer data don't strictly need a DPO, but appointing one is still good practice.
Q: How is GDPR enforced against companies outside the EU?
A: EU supervisory authorities can issue fines regardless of company location. Enforcement mechanisms include mutual legal assistance treaties, cooperation with local authorities, and practical business pressure — EU partners and customers increasingly refuse to work with non-compliant vendors.
Q: What are Standard Contractual Clauses (SCCs)?
A: SCCs are pre-approved legal contracts that provide safeguards for transferring personal data from the EU to countries without an adequacy decision. If you're a non-EU company receiving data from EU organizations, you'll likely need SCCs in place.
Conclusion
GDPR is not going away, and its reach is not shrinking. More enforcement actions are being brought against non-EU companies each year, and the fines keep getting larger.
But compliance isn't just about avoiding punishment. Businesses that take data protection seriously build stronger customer trust. In a market where consumers are increasingly aware of how their data is used, demonstrating genuine respect for privacy is a competitive advantage.
Start with data mapping. Fix your consent mechanisms. Build processes for handling data subject rights. These steps aren't just GDPR requirements — they're good business practice that will serve you well as global privacy regulation continues to expand.
For detailed GDPR requirements and official resources, visit our GDPR standard page. For US privacy obligations, check out our CCPA/CPRA guide.