Here’s a comprehensive list of what a U.S. company needs to do to be GDPR-compliant when selling products in Europe (i.e., offering goods/services to individuals in the EU/EEA or monitoring their behavior):
1. Determine Applicability
- Confirm if GDPR applies (e.g., you’re targeting EU customers with products, language, currency, or shipping options).
- Even without a physical presence in the EU, you’re subject to GDPR if you collect or process EU personal data.
2. Appoint a Representative in the EU
- If you don’t have an EU establishment, you likely need to appoint a GDPR Article 27 representative located in the EU.
- This person/entity acts as a point of contact for regulators and data subjects.
3. Update Your Privacy Policy
- Include:
- Legal basis for data processing
- Purpose of data use
- Data retention periods
- Rights of EU users (access, deletion, portability, etc.)
- Contact details of your EU representative and DPO (if applicable)
4. Identify Lawful Basis for Processing
- Determine a legal basis for processing EU personal data (e.g., consent, contract, legitimate interests).
5. Obtain Valid Consent Where Required
- Consent must be:
- Freely given, specific, informed, and unambiguous
- Obtained via opt-in (not pre-ticked boxes)
- Easy to withdraw
6. Implement Cookie Consent Tools
- Install a GDPR-compliant cookie banner:
- Block non-essential cookies until consent is given
- Provide clear cookie categories and preferences
- Log user consents
7. Enable Data Subject Rights
You must provide tools or processes to allow EU users to:
- Access their data
- Request correction or deletion
- Restrict or object to processing
- Port their data to another provider
8. Ensure Cross-Border Data Transfer Compliance
- If transferring personal data from the EU to the U.S., you must use:
- Standard Contractual Clauses (SCCs)
- Or participate in a valid EU-U.S. Data Privacy Framework (DPF)
9. Sign Data Processing Agreements (DPAs)
- If you use third-party vendors (e.g., email marketing, hosting) that process EU personal data on your behalf, you need DPAs with them.
10. Conduct a Data Protection Impact Assessment (DPIA)
- Required if your data processing is likely to pose a high risk to individuals (e.g., profiling, large-scale sensitive data).
11. Implement Security Measures
- Ensure data security through:
- Encryption
- Access controls
- Secure hosting
- Regular vulnerability checks
12. Appoint a Data Protection Officer (DPO) (if required)
- Required if:
- You carry out large-scale monitoring or process special categories of data
- Your core activities require regular and systematic monitoring of individuals
13. Maintain Records of Processing Activities (ROPA)
- Required unless you’re a small organization with low-risk processing
- Must document:
- What data you collect
- Why and how it’s processed
- With whom it’s shared
- How it’s protected
14. Prepare for Data Breaches
- Have a breach response plan
- Notify EU data protection authorities within 72 hours if a breach occurs
- Inform affected individuals if there’s a high risk to their rights/freedoms
15. Train Staff
- Anyone who handles EU personal data should understand GDPR basics and know how to recognize and report issues.
Please note, this checklist is for educational purposes only. You should contact a legal representative to ensure that you’re in full compliance.
