GDPR Compliance Checklist for U.S. Companies

Here’s a comprehensive list of what a U.S. company needs to do to be GDPR-compliant when selling products in Europe (i.e., offering goods/services to individuals in the EU/EEA or monitoring their behavior):


1. Determine Applicability

  • Confirm if GDPR applies (e.g., you’re targeting EU customers with products, language, currency, or shipping options).
  • Even without a physical presence in the EU, you’re subject to GDPR if you collect or process EU personal data.

2. Appoint a Representative in the EU

  • If you don’t have an EU establishment, you likely need to appoint a GDPR Article 27 representative located in the EU.
    • This person/entity acts as a point of contact for regulators and data subjects.

3. Update Your Privacy Policy

  • Include:
    • Legal basis for data processing
    • Purpose of data use
    • Data retention periods
    • Rights of EU users (access, deletion, portability, etc.)
    • Contact details of your EU representative and DPO (if applicable)

4. Identify Lawful Basis for Processing

  • Determine a legal basis for processing EU personal data (e.g., consent, contract, legitimate interests).

  • Consent must be:
    • Freely given, specific, informed, and unambiguous
    • Obtained via opt-in (not pre-ticked boxes)
    • Easy to withdraw

  • Install a GDPR-compliant cookie banner:
    • Block non-essential cookies until consent is given
    • Provide clear cookie categories and preferences
    • Log user consents

7. Enable Data Subject Rights

You must provide tools or processes to allow EU users to:

  • Access their data
  • Request correction or deletion
  • Restrict or object to processing
  • Port their data to another provider

8. Ensure Cross-Border Data Transfer Compliance

  • If transferring personal data from the EU to the U.S., you must use:
    • Standard Contractual Clauses (SCCs)
    • Or participate in a valid EU-U.S. Data Privacy Framework (DPF)

9. Sign Data Processing Agreements (DPAs)

  • If you use third-party vendors (e.g., email marketing, hosting) that process EU personal data on your behalf, you need DPAs with them.

10. Conduct a Data Protection Impact Assessment (DPIA)

  • Required if your data processing is likely to pose a high risk to individuals (e.g., profiling, large-scale sensitive data).

11. Implement Security Measures

  • Ensure data security through:
    • Encryption
    • Access controls
    • Secure hosting
    • Regular vulnerability checks

12. Appoint a Data Protection Officer (DPO) (if required)

  • Required if:
    • You carry out large-scale monitoring or process special categories of data
    • Your core activities require regular and systematic monitoring of individuals

13. Maintain Records of Processing Activities (ROPA)

  • Required unless you’re a small organization with low-risk processing
  • Must document:
    • What data you collect
    • Why and how it’s processed
    • With whom it’s shared
    • How it’s protected

14. Prepare for Data Breaches

  • Have a breach response plan
  • Notify EU data protection authorities within 72 hours if a breach occurs
  • Inform affected individuals if there’s a high risk to their rights/freedoms

15. Train Staff

  • Anyone who handles EU personal data should understand GDPR basics and know how to recognize and report issues.

Please note, this checklist is for educational purposes only. You should contact a legal representative to ensure that you’re in full compliance.

More Articles
  • A tranquil scene of Canadian Geese flying in formation against a clear sky in Decatur, Alabama.

    How to Migrate a Magento Commerce Website to WordPress and WooCommerce: A Step-by-Step Guide

    If your Magento Commerce website has become expensive to maintain, difficult to customize, or more complex than your business needs, you’re not alone. Many businesses are making the move to WordPress and WooCommerce to reduce costs, simplify website management, and gain greater flexibility for content marketing and SEO. A successful migration requires more than simply…

  • Close-up of a bright yellow disabled symbol on textured asphalt, indicating accessibility.

    Website Accessibility Review Workflow

    Version: 1.0Standard: WCAG 2.2 AAAudience: Web Developers, QA Testers, UI Designers Phase 1 – Automated Accessibility Scan Goal: Find common accessibility issues before manual testing. Checklist ☐ Run an accessibility scan on every page template. ☐ Review all reported errors. ☐ Fix high-impact issues first: ☐ Re-run scan until no critical issues remain. Recommended Tools…

  • accessible parking spot comparing ADA rules to WCAG rules

    What Is the Industry Standard Website Scanner for WCAG Compliance?

    If you’re trying to make your website accessible, one of the first questions you’ll probably ask is: “What’s the industry-standard scanner for WCAG compliance?” The short answer is: there isn’t just one. While several excellent accessibility scanners exist, no automated tool can certify that a website is fully compliant with the Web Content Accessibility Guidelines…