GDPR for US-Based SMBs: When It Applies and How to Comply

The EU’s General Data Protection Regulation (GDPR) can apply to a US-based small business even if you have no office, staff, or legal entity in Europe. The trigger is not where your company sits — it’s whether you offer goods or services to people in the EU or monitor their behavior. If you knowingly sell to EU customers, run an EU-facing website that takes orders, or track EU visitors with analytics and ads, GDPR likely reaches you. If you only get the occasional EU visitor and don’t target that market, it usually doesn’t.

That distinction matters because GDPR for US small business owners is often misunderstood in both directions: some assume an American company is automatically exempt, others panic and over-invest. The reality sits in between, and the path to compliance is more manageable than the regulation’s reputation suggests.

When GDPR applies to a US company

GDPR’s reach is defined by Article 3, which extends the law to organizations outside the EU under two conditions.

You offer goods or services to people in the EU

This is about intent to target, not accidental access. A US SaaS company that lets EU businesses sign up, prices in euros, ships to EU addresses, offers a German-language site, or runs ads aimed at European users is offering goods or services to people in the EU. A purely domestic US shop that happens to get a visitor from Spain is not. Regulators look at signals of targeting: currency, language, country-specific domains, EU shipping options, and marketing aimed at EU audiences. Note that a payment isn’t required — a free service that targets EU users can still be in scope.

You monitor the behavior of people in the EU

If you track how individuals in the EU behave online — behavioral advertising, profiling, or cookie-based analytics that follow users and build usage profiles — you fall under GDPR for that activity even without selling anything. Many US SMBs trip this wire purely through their marketing stack.

A key point: GDPR protects people physically in the EU (data subjects), not “EU citizens” specifically. An American traveling in the US is generally outside scope; a US green-card holder living in Berlin is inside it. The UK has its own near-identical regime (UK GDPR) post-Brexit, so EU and UK obligations often travel together.

What GDPR actually requires

GDPR is built on a set of principles and individual rights. You don’t need to memorize all 99 articles, but you do need to operationalize a handful of obligations.

A lawful basis for processing

Every time you process personal data you need one of six lawful bases under Article 6 — most commonly consent, contract (you need the data to deliver your service), or legitimate interests. You should know and document which basis applies to each processing activity. For marketing cookies and tracking, valid consent generally means a clear opt-in, not pre-ticked boxes.

Transparency and individual rights

You must tell people what you collect and why through a clear privacy notice, and you must honor data-subject rights: access, rectification, erasure (“right to be forgotten”), restriction, portability, and objection. Requests generally must be answered within one month. Practically, you need a defined intake (an email alias or form) and a repeatable internal process to find, export, or delete someone’s data across your systems.

Data minimization, security, and records

Collect only what you need, keep it only as long as you need it, and protect it with appropriate technical and organizational measures. Article 30 requires records of processing activities (a ROPA) — essentially a data inventory of what you hold, why, where it lives, and who you share it with. There’s a limited carve-out for organizations under 250 employees, but it falls away as soon as your processing isn’t occasional or touches special-category data, so in practice most companies actively serving EU customers should keep a ROPA. This inventory is the foundation everything else rests on.

Breach notification

If a personal-data breach poses a risk to individuals, you generally must notify the relevant EU supervisory authority within 72 hours of becoming aware (Article 33), and notify affected individuals when the risk is high. The clock starts when you become aware — not when your investigation finishes — so you need an incident process that can actually meet it.

The US-specific obligations people miss

Two GDPR requirements catch American SMBs off guard because they have no domestic equivalent.

An EU (and UK) representative

If GDPR applies to you and you have no establishment in the EU, Article 27 generally requires you to appoint a representative located in an EU member state to act as a contact point for individuals and regulators. There’s a narrow exemption for occasional, low-risk processing, but most US companies actively serving EU customers don’t qualify. The UK requires a separate UK representative. Third-party services provide this for a modest annual fee, and the representative’s contact details must appear in your privacy notice.

International data transfers

When EU personal data flows to the US, you need a valid transfer mechanism. As of 2026, the main options are the EU-US Data Privacy Framework (DPF) — a self-certification program administered through the US Department of Commerce that lets certified US companies receive EU data — or Standard Contractual Clauses (SCCs) in your contracts, often paired with a transfer impact assessment. The DPF is valid today, but it has faced legal challenge (an appeal was pending before the EU courts in 2026) and earlier US-EU frameworks were struck down, so keeping SCCs available as a fallback is prudent. Your cloud and SaaS vendors should already support SCCs; your job is to confirm they’re in place and documented.

Data Processing Agreements with your vendors

Under Article 28, when another company processes personal data on your behalf (your email platform, CRM, analytics, hosting, payroll), you must have a Data Processing Agreement (DPA) governing that relationship. Reputable vendors publish a standard DPA you can accept; smaller or custom vendors may need one drafted. Tracking which subprocessors touch EU data — and confirming each has a DPA and a transfer mechanism — is where vendor risk management and GDPR overlap directly. If you already run a lightweight TPRM program, fold GDPR checks into it rather than building a parallel process.

A practical compliance path for SMBs

You don’t need an enterprise privacy program. You need the core controls done honestly and kept current.

1. Confirm scope. Document whether and where GDPR applies based on Article 3. Don’t assume; write down the reasoning.
2. Build a data inventory (ROPA). List the personal data you collect, why, your lawful basis, where it’s stored, retention periods, and who you share it with.
3. Fix the front door. Publish a clear, accurate privacy notice and implement compliant cookie consent if you track EU users.
4. Paper the vendors. Get DPAs and valid transfer mechanisms (DPF or SCCs) in place for every processor handling EU data.
5. Appoint representatives. Engage an EU representative (and UK representative if applicable) unless you clearly qualify for the exemption.
6. Operationalize rights and breaches. Stand up a data-subject-request process and a 72-hour breach response, and assign an owner.
7. Keep evidence. Retain your ROPA, DPAs, consent records, and request logs so you can demonstrate accountability — GDPR requires you to show compliance, not just achieve it.

Much of this overlaps with frameworks you may already be pursuing. The access controls, vendor reviews, and incident response behind SOC 2 and ISO 27001 cover a large share of GDPR’s security expectations, so mature controls in one framework reduce the lift in another. Treating privacy as part of one continuous control monitoring program — rather than a separate annual scramble — is what keeps GDPR sustainable as you grow.

Conclusion

GDPR applies to US SMBs more often than founders expect, but it rarely requires the heavy machinery the regulation’s penalties imply. Nail the fundamentals — scope, data inventory, lawful basis, transparency, vendor DPAs, transfer mechanisms, and an EU representative — and keep evidence that you’re doing them. The goal isn’t perfection; it’s a defensible, documented program you can maintain as the EU and UK rules continue to evolve.

If you’re managing GDPR alongside SOC 2, HIPAA, ISO 27001, or PCI, Forteri is a multi-framework compliance platform built for SMBs priced out of enterprise tools — it centralizes your data inventory, policies, vendor DPAs, and evidence so overlapping controls are tracked once instead of rebuilt for each framework. Whether you use a platform or a spreadsheet, start with scope and your data inventory — everything else follows from knowing what you hold and why.