In today’s business environment, data moves across borders faster than most organizations can track it. Whether a company operates in Seattle, Chicago, or Berlin, its privacy obligations rarely stop at the water’s edge. That reality is largely due to the European Union’s General Data Protection Regulation (GDPR), which, even seven years after going into effect, still shapes global privacy standards in profound ways.
GDPR Explained
At its core, the GDPR regulates how organizations collect, use, store, and share personal data about individuals in the European Union. Personal data under the GDPR includes any information that can identify a person: names, emails, IP addresses, device IDs, location coordinates, biometric information, and more.
Julian Schneider of the University of California, San Francisco Law School highlights the philosophical roots of the law, explaining that “the GDPR is built on the idea that privacy is a fundamental human right, not just a business obligation.” Schneider’s point helps explain the regulation’s broad reach.
The law’s territorial scope means companies can be subject to GDPR even with no physical presence in Europe. If a US company markets products to EU residents or monitors the online behavior of EU users, GDPR obligations apply.
The Basics of GDPR Compliance
Seven Foundational Principles
Article 5 of the GDPR sets out seven foundational principles:
- Lawfulness, fairness & transparency
- Purpose limitation
- Data minimization
- Accuracy
- Storage limitation
- Integrity & confidentiality
- Accountability
“Data minimization should be in neon lights above every privacy program. The less you collect, the less you can mishandle,” advises Alex Sharpe of Sharpe Management Consulting LLC.
All seven foundational principles, including ‘data minimization,’ frame the day-to-day decisions companies must make regarding notices, record keeping, retention, and security controls.
Controllers, Processors, and Data Subjects
The GDPR distinguishes between three major roles:
- Data subjects: individuals whose data is processed
- Controllers: the entities determining why and how personal data is processed
- Processors: vendors or third parties acting on the controller’s behalf
Before processing any personal data, controllers must identify at least one lawful basis:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
Gabriel Buehler of Buehler Law, PLLC, stresses that poor consent practices are a major risk area. “Most companies underestimate the documentation burden, i.e., policies, audits, transfer assessments, until they’re in the middle of it,” he notes, adding that consent obtained through bundled disclosures or so called ‘dark patterns’ is unlikely to meet GDPR standards.
Data Subject Rights
GDPR gives individuals strong rights over their personal data, including:
- Right of access
- Right to erasure (‘right to be forgotten’)
- Right to data portability
- Right to restrict or object to processing
- Rights relating to automated decision-making
For US companies, the operational challenge is creating workflows to validate identities, collect data from internal systems, and deliver responses within the required timeframes.
Privacy by Design and Default
Article 25 requires organizations to incorporate privacy into the design of their systems, products, and internal processes. This includes:
- Minimizing collection
- Restricting access
- Embedding security into the architecture
- Planning retention and deletion up front
Here, Alex Sharpe warns that organizations overcomplicate compliance when the fundamentals matter most, remarking that many companies “try to get clever instead of keeping systems simple, transparent, and user-focused.”
Compliance Complications
The US Patchwork Problem
Unlike the EU, which has a comprehensive data-protection framework, the United States relies on a mix of sector-specific federal laws and a rapidly expanding network of state privacy statutes. This results in a regulatory environment that is both fragmented and unpredictable.
Currently, 20 states have passed consumer data privacy laws, including California, Virginia, and Colorado. Each includes familiar GDPR-style rights like access, deletion, correction, and portability, but they vary significantly in scope, terminology, and enforcement standards.
Here, organizations can struggle as each new law forces them to ‘bolt on’ new compliance requirements rather than addressing privacy holistically. To address this, many companies are shifting to a ‘highest watermark’ strategy, adopting GDPR-level controls as the baseline, with state-specific requirements added as overlays. This approach reduces long-term compliance burdens and positions companies to adapt more smoothly as additional states inevitably pass privacy laws in the coming years.
Cross-Border Data Transfers
Cross-border data transfers remain one of the most complex and fast-changing aspects of GDPR compliance. For organizations operating in the US, this is often the single most challenging area because it involves both EU privacy law and US national-security laws.
Generally, the GDPR prohibits transferring personal data outside the EU unless the receiving country ensures an adequate level of protection. The Court of Justice of the European Union (CJEU) has repeatedly scrutinized whether US surveillance laws provide such protection, which is why two major frameworks, Safe Harbor and Privacy Shield, were struck down in the Schrems I and Schrems II decisions.
The EU–US Data Privacy Framework, adopted in 2023, restored an official adequacy mechanism for certified US organizations. This eased some pressure, but not all. Not every company can or will certify under the new program, and even those that do must still implement technical safeguards, such as encryption, access controls, and strict data-minimization practices.
Ultimately, the challenge is not just choosing a valid transfer mechanism but maintaining continuous oversight. From cloud storage to HR platforms to marketing analytics, nearly every modern business tool involves processing data across borders, meaning organizations must stay alert to evolving regulatory expectations.
Enforcement and Real-World Stakes
GDPR enforcement has matured significantly since 2018. While large fines capture headlines, companies should pay equal attention to the trends behind the penalties, which reveal how regulators are prioritizing risks.
The largest fines, such as Amazon’s €746 million penalty for unlawful advertising practices signal the EU’s willingness to confront ‘Big tech.’ That said, regulators can and will target mid-size companies for inadequate consent practices, weak security measures, employee snooping incidents, or overly long retention periods.
As part of enforcement efforts, regulators can issue non-monetary corrective orders, such as requiring a company to:
- Stop processing a category of data
- Rewrite their privacy notices
- Conduct a DPIA (Data Protection Impact Assessment)
- Overhaul vendor contracts
- Implement new security measures
- Delete entire datasets collected unlawfully
For many organizations, these corrective actions can be just as, or more, disruptive as fines. Rebuilding internal processes, replacing a CRM system, or redesigning an analytics stack can be costly and time-consuming.
Preparing for the Future
Global privacy regulation is expanding, and new EU regulations, including the EU AI Act and Digital Operational Resilience Act (DORA), are raising expectations around transparency, cybersecurity, and risk management. Privacy is treated as a right in the EU, and companies that adopt that mindset tend to build stronger trust with customers and partners.
For US companies, GDPR compliance is no longer just an international legal issue; it’s a roadmap for modern data governance. Transparent practices, data minimization, strong record keeping, and privacy-by-design principles can strengthen customer trust while reducing business risk.
To learn more about this topic, view Introduction to EU General Data Protection Regulation Planning Implementation and Compliance. The quoted remarks referenced in this article were made either during this webinar or shortly thereafter during post-webinar interviews with the panelists. Readers may also be interested to read other articles about cybersecurity.
This article was originally published here.
©2025. DailyDACTM, LLC d/b/a/ Financial PoiseTM. This article is subject to the disclaimers found here.
