Go to integrated search
contact us

Copyright SJKP LLP Law Firm all rights reserved

General Data Protection Regulation: Gdpr Compliance for Businesses



The General Data Protection Regulation (GDPR) is the EU data privacy law that governs how organizations handle the personal data of people in the EU, and it can reach US businesses too. Learn who must comply, the core duties, when you need a DPO or EU representative, the penalties, and how to transfer EU data lawfully.

GDPR can apply beyond Europe because its territorial scope depends not only on where a company is located, but also on whether the company targets people in the EU or monitors their behavior there. If that describes your business, the GDPR can apply no matter where you are based.


1. What the General Data Protection Regulation Is


The General Data Protection Regulation is a comprehensive EU law, formally Regulation (EU) 2016/679, that has applied since 25 May 2018. It sets rules for processing personal data and gives individuals strong rights over their information. Its reach is global because it can cover organizations that target or monitor people in the EU.

GDPR replaced an older 1995 directive and unified privacy rules across the EU. For many organizations, broader data privacy compliance now starts with understanding this single regulation.



What Is the General Data Protection Regulation (Gdpr)?


The General Data Protection Regulation (GDPR) is the EU regulation that controls how personal data of individuals in the EU is collected, used, stored, and shared. Personal data means any information relating to an identifiable person, such as names, emails, location data, or online identifiers.

The law applies to controllers, who decide why and how data is processed, and processors, who handle data on a controller's behalf. Both carry obligations. The terms are defined broadly, so most businesses fall into one role or the other.



Does Gdpr Apply to Us Businesses?


Yes, GDPR can apply to US businesses even without any office in Europe. Under Article 3, it covers organizations outside the EU that offer goods or services to people in the EU or that monitor their behavior, such as through tracking or profiling.

This extraterritorial scope is what surprises many companies. A US online store shipping to EU customers can be covered. Because GDPR can apply to non-EU companies, cross-border data protection review is often the first step for US businesses that serve EU customers, track EU users, or receive EU personal data.



Who Enforces Gdpr?


GDPR is enforced by national supervisory authorities in each EU member state, coordinated through the European Data Protection Board (EDPB). For cross-border processing, a lead supervisory authority often handles the case under a one-stop-shop mechanism.

These regulators investigate complaints, conduct audits, and impose fines. They can also order a company to change or stop its data practices. Knowing which authority is likely to take the lead shapes any compliance or defense strategy.



2. Gdpr Scope, Roles, and Lawful Bases


GDPR compliance starts with two questions: what role your business plays and what legal justification you have for each use of data. Together these define whether your processing is lawful. Skipping either is a common source of violations.

Your role determines your duties, and the lawful basis determines your permission to process at all. You need both clearly identified before processing personal data.



Are You a Controller, Processor, or Joint Controller?


You are a controller if you decide why and how personal data is processed, a processor if you process it on someone else's behalf, and a joint controller if you make those decisions with another party. The role determines which obligations and contracts apply.

Controllers and processors must usually sign a data processing agreement under Article 28. Non-EU companies within GDPR's scope should also assess whether they must appoint an EU representative under Article 27. Mapping your role early prevents gaps in data governance accountability.



What Are the Gdpr Principles and Lawful Bases?


The GDPR principles in Article 5 are lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability. Every processing activity also needs a lawful basis under Article 6.

The six lawful bases are consent, contract, legal obligation, vital interests, public task, and legitimate interests. When consent is used, it must be freely given, specific, informed, and unambiguous, and special-category data may require a separate Article 9 condition. The principles define the compliance standard, while the lawful basis explains why a specific activity is permitted.



3. Gdpr Compliance Duties for Businesses


GDPR creates strong rights for individuals and concrete duties for organizations, from answering access requests to appointing a DPO where required. These obligations are where most day-to-day compliance work happens. A practical checklist helps turn the rules into action.

The duties below recur for almost every covered business. Tracking them is the core of an ongoing compliance program.



What Rights Do Data Subjects Have under Gdpr?


Data subjects have broad rights over their personal data, exercised through data subject access requests, often called DSARs. Organizations generally must respond within one month, with limited extensions for complex or numerous requests.

RightGdpr ArticleWhat It Allows
AccessArticle 15See what personal data is held
RectificationArticle 16Correct inaccurate data
ErasureArticle 17Request deletion
RestrictionArticle 18Limit processing
PortabilityArticle 20Receive or move data
ObjectionArticle 21Object to certain processing

Handling DSARs properly is central to consumer data protection, because missed deadlines or improper denials can trigger complaints to supervisory authorities.



When Do You Need a Dpo or Eu Representative?


You need a data protection officer (DPO) when your core activities involve large-scale, regular monitoring of individuals or large-scale processing of sensitive data, under Articles 37 to 39, and public authorities generally need one too. The DPO oversees compliance and is the contact point for regulators.

Separately, a non-EU company within GDPR's scope may need an EU representative under Article 27. The two roles are different. Use the checklist below to see which compliance duties apply to your business.

Compliance AreaKey Question
ScopeDoes Article 3 apply to the business?
RoleAre you a controller, processor, or joint controller?
Lawful basisIs each activity tied to an Article 6 basis?
RecordsDo you keep Article 30 processing records where required?
DSARsCan you respond to requests on time?
DPO or representativeDo you need a DPO or an Article 27 representative?
Breach responseCan you report a breach within 72 hours if required?
TransfersAre SCCs, BCRs, DPF certification, or another tool in place?


4. Gdpr Breach Notice, Penalties, and Enforcement Risk


GDPR is backed by strict breach deadlines and some of the largest fines in privacy law. For businesses, this is where the regulation has real teeth. Missing a deadline or a duty here is a frequent cause of enforcement.

The breach clock and the penalty tiers are the two features that drive most urgency. Both reward preparation done before an incident.



How Quickly Must a Gdpr Data Breach Be Reported?


A personal data breach must be reported to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, under Article 33. If the breach poses a high risk to individuals, Article 34 also requires notifying them.

You must document the breach and your response even if you do not notify. A tested data breach response plan is what makes the 72-hour window realistic. Delay or failure to report can itself become a violation.



What Are the Gdpr Penalties and Enforcement Powers?


GDPR penalties are tiered under Article 83, with the higher tier reaching 20 million euros or 4 percent of total worldwide annual turnover, whichever is greater. Fines can apply to global revenue, not just EU revenue.

TierMaximum FineTypical Violations
Lower10 million euros or 2% of global turnoverRecords, security, DPO duties
Higher20 million euros or 4% of global turnoverCore principles, consent, rights, transfers

Beyond fines, supervisory authorities can order a company to stop processing data, and individuals may seek compensation under Article 82. The combined exposure makes proactive cybersecurity and data privacy planning worthwhile.



5. Gdpr International Data Transfers and Legal Review


GDPR tightly controls sending personal data outside the EU, and for US companies this is often the hardest part. Transfers are only allowed through an approved mechanism under Chapter V. Getting this wrong can halt data flows that a business depends on.

The transfer rules also shift over time, so they need ongoing attention. This is the area where early legal review tends to pay off most.



How Can Us Companies Legally Transfer Eu Data after Schrems Ii?


US companies can transfer EU personal data only through an approved mechanism, such as standard contractual clauses (SCCs), binding corporate rules, an adequacy decision, or certification under the EU-US Data Privacy Framework. The Data Privacy Framework is a route for participating, certified US companies, not an automatic exemption for every business.

After the Court of Justice's Schrems II decision in 2020 invalidated the prior Privacy Shield, companies relying on SCCs or BCRs should assess the destination country's legal environment, document a transfer impact assessment, and consider supplementary measures where needed. Mapping data flows is the foundation of global data compliance.



When Should a Business Seek Gdpr Compliance Counsel?


Seek GDPR compliance counsel when you are unsure whether GDPR applies, before launching EU-facing services, after a suspected breach, or when you receive a complaint or regulator inquiry. Early advice helps confirm scope, fix gaps, and avoid statements that create exposure.

Bring your data map, processing records, vendor contracts, privacy notices, and any regulator correspondence. Because breach deadlines are short and fines can reach global turnover, acting early is one of the best ways to limit risk.



6. General Data Protection Regulation: Key Gdpr Compliance Questions


Companies handling EU data face a lot of practical questions about whether GDPR applies and what it requires. These quick answers cover scope, roles, the DPO, breach deadlines, penalties, and data transfers.



What Is the General Data Protection Regulation in Simple Terms?


The General Data Protection Regulation (GDPR) is the EU's data privacy law that controls how organizations handle the personal data of people in the EU. It gives individuals rights over their data and requires businesses to process it lawfully, securely, and transparently, with heavy fines for violations.



) Do Us Companies Need an Eu Representative under Gdpr?


Sometimes. A non-EU company that falls within GDPR's scope may need to appoint an EU representative under Article 27 as a local contact point, unless an exemption applies. This is separate from the DPO role, and a business may need to assess both obligations.



What Is a Dpo under Gdpr?


A DPO, or data protection officer, oversees an organization's GDPR compliance and serves as the contact for regulators and data subjects. A DPO is required for large-scale monitoring, large-scale processing of sensitive data, and for public authorities, under Articles 37 to 39.



How Quickly Must a Gdpr Breach Be Reported?


A personal data breach must generally be reported to the supervisory authority within 72 hours of becoming aware of it, under Article 33. If the breach poses a high risk to individuals, they must usually be notified too, and the incident must be documented either way.



What Are the Maximum Gdpr Fines?


The maximum GDPR fine is 20 million euros or 4 percent of total worldwide annual turnover, whichever is higher, under Article 83. A lower tier caps fines at 10 million euros or 2 percent. Regulators can also order a company to stop processing and individuals may seek compensation.


04 Nov, 2025


The information provided in this article is for general informational purposes only and does not constitute legal advice. Prior results do not guarantee a similar outcome. Reading or relying on the contents of this article does not create an attorney-client relationship with our firm. For advice regarding your specific situation, please consult a qualified attorney licensed in your jurisdiction.
Certain informational content on this website may utilize technology-assisted drafting tools and is subject to attorney review.

Online Consultation
Phone Consultation