How does GDPR affect international businesses and their data practices?

The General Data Protection Regulation (GDPR) has reshaped the global landscape of data privacy. Introduced by the European Union (EU) in May 2018, GDPR establishes strict rules for the collection, processing, storage, and transfer of personal data. While its origins are European, the regulation’s impact is global—particularly for international businesses that collect or manage data from individuals located in the EU.

What is GDPR?

GDPR is a legal framework that governs how organizations handle personal data of EU residents. Personal data includes any information that can identify a person, such as names, emails, addresses, IP addresses, and even cookies. The regulation emphasizes transparency, accountability, and user control, granting individuals more power over their personal information.

Key principles under GDPR include:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

Does GDPR Apply to U.S. or Non-EU Businesses?

Yes. Any business that markets, sells, or monitors behavior of individuals in the EU must comply with GDPR—even if the company is not physically located within the EU. This includes:

  • E-commerce sites shipping to EU countries
  • SaaS platforms collecting data from EU users
  • Businesses using cookies to track EU website visitors
  • Companies that offer services (free or paid) to EU citizens

As a result, U.S.-based businesses, including those in San Diego and across California, are subject to GDPR if they process data from EU residents.

What Are the Key GDPR Obligations for International Businesses?

1. Obtaining Valid Consent

GDPR requires clear, affirmative action from users before collecting their data. Pre-checked boxes and implied consent are no longer valid. Consent must be:

  • Freely given
  • Specific
  • Informed
  • Unambiguous
  • Easy to withdraw

Businesses must also keep records of when and how consent was obtained.

2. Data Subject Rights

GDPR gives individuals control over their personal information. Businesses must ensure mechanisms are in place to comply with these rights:

  • Right to access – Individuals can request access to their data.
  • Right to be forgotten – Users may request deletion of their data.
  • Right to rectification – Data subjects can request corrections to inaccurate information.
  • Right to restrict processing – Users can limit how their data is used.
  • Right to data portability – Users can ask to receive their data in a machine-readable format.
  • Right to object – Individuals can object to data processing for direct marketing purposes.

3. Data Protection Officers (DPO)

Certain businesses must appoint a DPO. This applies to organizations that:

  • Process large-scale sensitive data
  • Monitor data subjects systematically on a large scale
  • Are public authorities or bodies

The DPO serves as a liaison between the business and data protection authorities and is responsible for ensuring internal compliance.

4. Data Breach Notification

Companies must report data breaches to the appropriate supervisory authority within 72 hours of discovery. If the breach poses a high risk to individuals’ rights and freedoms, those individuals must also be notified without delay.

5. Data Transfers Outside the EU

When transferring personal data outside the EU, businesses must ensure that adequate protections are in place. This includes:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Privacy Shield alternatives (since the original was invalidated by the EU Court of Justice)

Non-compliance in data transfers can lead to severe penalties, even if the business is not based in the EU.

6. Privacy by Design and Default

GDPR mandates that data protection measures be built into the systems and processes from the beginning—not added later. This means:

  • Limiting data collection to what is necessary
  • Ensuring security measures like encryption
  • Restricting data access to authorized personnel only

Privacy by default ensures only necessary data is processed for each specific purpose.

What Are the Risks of Non-Compliance?

The penalties for failing to comply with GDPR are significant:

  • Fines up to €20 million or 4% of global annual revenue, whichever is higher
  • Reputational damage
  • Loss of consumer trust
  • Potential lawsuits from affected individuals

For smaller businesses, these consequences can be especially damaging and even fatal to operations.

Practical Steps to Ensure Compliance

International businesses should take proactive steps to comply with GDPR. These include:

  1. Data Mapping – Identify what personal data is collected, where it is stored, how it is processed, and who has access.
  2. Policy Updates – Revise privacy policies and terms of service to reflect GDPR requirements.
  3. Cookie Banners and Consent Tools – Install proper cookie consent management systems to get valid consent for tracking.
  4. Third-Party Vendor Review – Ensure vendors (e.g., email platforms, analytics tools) also comply with GDPR.
  5. Employee Training – Train staff on data protection, handling data subject requests, and breach protocols.
  6. Implement Security Protocols – Use encryption, multi-factor authentication, firewalls, and access controls.
  7. Create a Breach Response Plan – Know who is responsible for detecting, reporting, and managing a breach.

The Intersection of GDPR and U.S. Law

Although the U.S. does not have a federal data protection law as comprehensive as GDPR, several states are introducing privacy laws that resemble its principles. For instance:

  • California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), offer transparency, access, and deletion rights.
  • The Virginia Consumer Data Protection Act (VCDPA) and Colorado Privacy Act (CPA) reflect similar consumer protections.

As more states adopt these models, businesses must prepare for a patchwork of regulations across jurisdictions. Aligning data practices with GDPR can serve as a comprehensive foundation for compliance across multiple markets.

How we can help

At the Law Office of Kris Mukherji, APC, we help businesses navigate complex regulatory environments with clarity and confidence. Whether you operate locally in San Diego or internationally, we offer tailored legal strategies that ensure compliance with data protection laws such as GDPR, CCPA, and others. We assist with:

  • Drafting and reviewing privacy policies
  • Vendor contract compliance
  • Risk assessments and internal audits
  • Breach response planning
  • Employee training and compliance checklists

Our firm combines deep legal insight with personalized service to protect your operations, your customers, and your reputation. We offer free case consultations to help you understand where your business stands and what steps you need to take next.

Reach out today to ensure your business is protected in the digital age—because smart data practices aren’t just about avoiding fines—they’re about building trust that lasts.