What is GDPR? A Complete Guide for US Companies

What GDPR Requires

Lawful Basis for Processing

GDPR requires that every instance of personal data processing have a lawful basis. The six lawful bases are consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Consent — the most commonly cited but most operationally demanding basis — must be freely given, specific, informed, and unambiguous, and can be withdrawn at any time. Organizations that rely on consent for processing must maintain records of consent and honor withdrawal requests promptly.

Data Subject Rights

GDPR grants EU residents extensive rights over their personal data: the right to access their data, the right to rectification of inaccurate data, the right to erasure (the right to be forgotten), the right to restriction of processing, the right to data portability, and the right to object to processing. Organizations must respond to data subject requests within one month and have the technical capability to fulfill erasure requests across all systems where the individual's data is stored.

Breach Notification

GDPR requires notification to the relevant supervisory authority within 72 hours of becoming aware of a personal data breach. If the breach is likely to result in high risk to individuals, those individuals must also be notified without undue delay. The 72-hour requirement is one of the most operationally demanding aspects of GDPR for organizations without mature incident response processes.

GDPR Enforcement and Penalties

GDPR enforcement is conducted by Data Protection Authorities in each EU member state. Penalties are structured in two tiers. The lower tier — up to €10 million or 2% of global annual revenue, whichever is higher — applies to violations of organizational obligations including data protection by design, records of processing activities, and processor contracts. The higher tier — up to €20 million or 4% of global annual revenue — applies to violations of core principles including lawful basis for processing, data subject rights, and international transfer restrictions.

Total GDPR fines issued across the EU exceeded €4 billion through 2023. Major fines include Meta's €1.2 billion penalty for transferring EU user data to the US, Amazon's €746 million fine for advertising targeting practices, and WhatsApp's €225 million fine for transparency failures.

GDPR for PE Portfolio Companies

PE portfolio companies with any EU operations, EU customers, or EU employees have GDPR obligations regardless of where the company is incorporated. GDPR applies based on where data subjects (the individuals whose data is processed) are located, not where the processor is located. A US-incorporated SaaS company with EU enterprise customers processing EU employee data has full GDPR obligations.

GDPR due diligence should assess: Is there a Records of Processing Activities document? Is there an appointed Data Protection Officer if required? Are data processing agreements in place with vendors? Has a legal basis been documented for each processing purpose? Is there a breach notification process that meets the 72-hour requirement? These questions reveal whether GDPR compliance is operational or aspirational.

Real-World Example: Meta's €1.2 Billion Fine — Largest GDPR Penalty

In May 2023, Ireland's Data Protection Commission fined Meta €1.2 billion — the largest GDPR fine in the regulation's history — for transferring EU Facebook user data to the United States without adequate safeguards. The ruling followed years of legal proceedings triggered by Austrian activist Max Schrems and the earlier Schrems II decision that invalidated the Privacy Shield framework previously used for EU-US data transfers. Meta was required to suspend future data transfers and bring existing EU user data processing into compliance within specific timelines.