Is GDPR relevant for your US-based tech startup?

Learn about the pivotal EU law that could affect how your company approaches customer data protection and privacy.

October 19, 2022

A graphic of a green gradient background.

When the EU’s General Data Protection Regulation (GDPR) was passed in May 2018, companies of all sizes rushed to revisit their data and privacy compliance against the new privacy regulations.  

Since then, the GDPR continues to steer one of the most critical shifts in data protection across the globe. 

How does GDPR affect US-based companies? 

If you have any customers or users located in the EU, your company is required to be GDPR compliant.  

The GDPR applies to all companies that process the personal data of anyone living in the EU, regardless of the actual company’s location.  

GDPR Article 29 states that companies under 250 employees may need to comply with the regulations if they: 

  • Process data that could risk/affect the rights and freedoms of individuals 
  • Process personal data on a regular basis 
  • Process data which is covered by Article 9 of the GDPR 

While the exact jurisdiction of GDPR is notably ambiguous, the practical implications are that all companies can be potentially identified as a processor of personal data. 

Steps to ensure GDPR compliance 

Despite the waves created by GDPR, there are concrete steps a business can take to shield itself from non-compliance penalties. These include: 

  • Updating individual data consent and disclosures 
  • Updating privacy notices 
  • Applying transparency, documentation, and evidentiary compliance in key operations 
  • Auditing and documenting lawful and legitimate access to user data 
  • Implementing annual audits to verify compliance 


Outsource for faster GDPR compliance 

Ignoring data and privacy compliance leaves an entire organization at risk. Lay the foundation for business growth and avoid problems down the road by implementing a privacy solution as soon as possible. This is especially important given the retroactive nature of some sections in the GDPR legislation. 

To help companies secure full compliance, a trusted digital security platform can help with the following processes: 

  • Implement right of consent notices 
  • Document data flows 
  • Establish and publish privacy policies 
  • Prescribe and enforce employee controls  
  • Demonstrate transparency to partners and end users 

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.      

You may also like


Privacy Management

Privacy in practice: PIA & DPIA with PA Consulting

Join OneTrust and PA Consulting as we discuss what makes an effective PIA, best practices, and the benefits of automation.

September 21, 2023

Learn more


Privacy & Data Governance

Privacy in practice for data mapping: With PA Consulting and Syngenta

Join OneTrust and panelists from PA Consulting and Syngenta as we explore practical ways to build an effective data mapping program, best practices, and the need for automation.

September 14, 2023

Learn more


Governance & Policy Management

EU-US DPF: What next for UK businesses?

Join our expert webinar as we discuss the upcoming UK-US DPF Extension and what UK businesses need to prepare to become DPF-certified.

September 06, 2023

Learn more