Attention US Companies: The GDPR Is Coming!

Posted: July 19, 2017

When does the GDPR apply to US based companies?

There has been much buzz circulating about the upcoming General Data Protection Regulation (GDPR). Yet, many organizations are still trying to figure out how it will actually apply to their business. This is particularly true for US based companies.

The GDPR applies to US based companies who offer goods or services to EU data subjects and/or monitor the behavior of EU data subjects. For example, if a US company is not actively marketing to EU data subjects the regulation may still apply in a scenario where an EU data subject can visit the company’s website and purchase a product or service. To learn more about how the GDPR may impact U.S. companies, see the video below:

US companies must also be aware that the GDPR has a fairly general application. For example, it doesn’t only apply to organizations exclusively conducting active marketing campaigns into the EU.  The regulation also applies to any company that is offering products and services to individuals residing in the EU.

In determining whether your company is offering goods or services to EU data subjects, regulators may consider if your website has been translated to the local language or if the currency has been converted to reflect that of the member state. Furthermore, if a company is monitoring the behavior of data subjects, the GDPR applies. Cookies can be utilized to monitor the behavior of someone visiting a company website and often collects personal data like the visitor’s IP address.

Companies based in the US must ensure they understand whether the GDPR applies to them. If it does not apply, it is important to specifically document your analysis outlining why you believe you are exempt.

If the GDPR does apply, we recommend you begin preparing for the May 25, 2018 effective date now. Readiness includes data mapping, system inventory, data subject right applicability and exceptions and ensuring protection of the personal data collected meets the regulatory standards.

We understand compliance with these requirements can be difficult to manage. Please feel free to reach out to for more information on the GDPR requirements, how to comply, or any other privacy, security or compliance matters or visit us here.

Matt Dumiak

Author: Matt Dumiak

Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.

Leave a Reply

Your email address will not be published. Required fields are marked *

Reduce risk, maintain a compliant posture, and protect info