GDPR Compliance for US-Based SaaS: What You Need to Know

If your SaaS has a single EU customer, GDPR applies to you. It doesn’t matter that your company is in the US. It doesn’t matter that your servers are in Virginia. EU data protection law follows EU citizens’ data wherever it goes.

Many US companies discovered this the hard way when Austrian and German regulators started enforcing GDPR against American businesses. The fines can reach 4% of global annual revenue.

Here’s what US-based SaaS companies need to understand about GDPR compliance.

Quick Answer

Question	Answer
Does GDPR apply to US companies?	Yes, if you have EU customers or track EU visitors
What’s the maximum fine?	€20 million or 4% of global annual revenue, whichever is higher
Do I need a DPO?	Only if you process data at scale or handle sensitive categories
Do I need EU representation?	Yes, if you don’t have an EU presence
Can I store data in the US?	Only with proper safeguards (Standard Contractual Clauses or adequacy decision)

GDPR applies to any organization that:

Offers goods or services to EU residents (even if free)
Monitors behavior of EU residents (tracking, analytics, profiling)

You don’t need an EU office. You don’t need EU employees. A single EU customer triggers the regulation.

Examples

Scenario	GDPR Applies?
US SaaS with one paying customer in Germany	Yes
US blog with EU visitors, using Google Analytics	Yes (monitoring)
US e-commerce that ships to EU	Yes
US company with no EU customers and geo-blocking	No
US company with EU customers but all processing in EU	Yes (but easier compliance)

Core Requirements

GDPR has 99 articles, but most of what you need to know fits into these categories:

1. Lawful Basis

You need a legal basis to process personal data. The most common for SaaS:

Basis	When to Use
Contract	Processing necessary to provide your service
Consent	Marketing emails, cookies, optional features
Legitimate Interest	Fraud prevention, security (with balancing test)

For most SaaS: Contract basis for core service, consent for marketing and optional features.

2. Data Subject Rights

EU residents have rights you must honor:

Right	What It Means	Your Obligation
Access	Know what data you hold	Provide data export on request
Rectification	Correct inaccurate data	Allow updates, correct on request
Erasure	Delete their data	Delete within 30 days (with exceptions)
Portability	Get data in machine-readable format	Provide structured export
Objection	Stop certain processing	Honor opt-outs
Restriction	Limit processing	Freeze data during disputes

Practical requirement: Build workflows to respond to these requests within 30 days.

3. Data Protection Principles

Principle	Practical Meaning
Purpose limitation	Only use data for stated purposes
Data minimization	Collect only what you need
Accuracy	Keep data current
Storage limitation	Delete when no longer needed
Security	Appropriate protection measures
Accountability	Document your compliance

4. International Data Transfers

Transferring EU data to the US requires safeguards. Options:

Mechanism	Status
EU-US Data Privacy Framework	Available for certified US companies (2023+)
Standard Contractual Clauses (SCCs)	Valid but requires transfer impact assessment
Binding Corporate Rules	For intra-company transfers (complex)
Derogations	Specific consent or contract necessity (limited)

For most US SaaS: Either certify under the EU-US Data Privacy Framework or implement SCCs.

Technical Requirements

Data Mapping

You must know what personal data you collect, where it’s stored, and who accesses it.

Document:

Item	Examples
Data categories	Name, email, IP address, usage data
Data sources	User input, cookies, third parties
Storage locations	Database, S3, SaaS tools
Access controls	Who can see what
Retention periods	How long you keep each type

Security Measures

GDPR requires “appropriate” security. For a SaaS, this typically means:

Category	Requirements
Access control	Role-based access, strong authentication
Encryption	At rest and in transit
Logging	Audit trails for data access
Incident response	Plan for breaches
Vendor management	DPAs with all processors

Breach Notification

If you have a data breach affecting EU residents:

Requirement	Timeline
Notify supervisory authority	Within 72 hours of becoming aware
Notify affected individuals	”Without undue delay” if high risk
Document the breach	Keep records for accountability

Practical requirement: Have an incident response plan that can execute within 72 hours.

Documentation Requirements

GDPR requires you to demonstrate compliance. Key documents:

Document	Purpose
Privacy policy	Inform data subjects about processing
Records of processing activities	Internal documentation of all processing
Data Protection Impact Assessment	Required for high-risk processing
Standard Contractual Clauses	For US-EU data transfers
Data Processing Agreements	With all vendors who touch personal data

Privacy Policy Requirements

Your privacy policy must include:

Identity of the controller (your company)
Contact details for data protection officer (if applicable)
Purposes of processing and legal basis
Categories of recipients (who you share with)
International transfer details and safeguards
Retention periods
Data subject rights
Right to lodge complaints with supervisory authority
Whether data provision is required for the service

Common Mistakes

Mistake	Why It’s a Problem	Fix
Ignoring GDPR	Fines apply regardless of knowledge	Accept that it applies and comply
Treating consent as the only basis	Consent can be withdrawn, creating chaos	Use contract basis for core service
Not updating privacy policy	Must reflect actual practices	Review and update when practices change
No data processing agreements	You’re liable for vendor violations	Execute DPAs with all data processors
Storing data forever	Violates storage limitation	Define and enforce retention policies
No response workflow for rights	Must respond within 30 days	Build the workflow before you need it

Implementation Checklist

Phase 1: Foundation

Document all personal data you collect
Map where data is stored and who accesses it
Update privacy policy to meet GDPR requirements
Identify lawful basis for each processing activity
Register with EU-US Data Privacy Framework (if eligible)

Phase 2: Rights and Processes

Create workflow for data access requests
Create workflow for data deletion requests
Create workflow for data portability requests
Set up consent management for marketing
Define retention periods for each data category

Phase 3: Technical Controls

Implement encryption at rest and in transit
Review and strengthen access controls
Set up audit logging for sensitive data access
Create incident response plan
Execute DPAs with all data processors

Phase 4: Ongoing

Train team on GDPR requirements
Schedule regular compliance reviews
Monitor for regulatory changes
Update documentation when practices change

The US State Privacy Law Overlap

While focusing on GDPR, don’t ignore US state laws that impose similar requirements:

State	Key Requirements
California (CCPA/CPRA)	Right to delete, opt-out of sale, data access
Virginia (VCDPA)	Similar to CCPA with some differences
Colorado (CPA)	Data minimization, purpose specification
Connecticut, Utah, etc.	Various requirements emerging

Good news: GDPR compliance often covers most US state requirements. Build for GDPR, then adjust for state-specific provisions.

When to Get Help

Situation	Recommendation
Basic SaaS with standard data	Self-implement with templates
Processing sensitive data	Consult a privacy lawyer
Large-scale processing	Consider a Data Protection Officer
Received a complaint or inquiry	Legal counsel immediately
Cross-border complexity	Specialized privacy counsel

GDPR compliance isn’t a one-time project. It’s an ongoing program that requires documentation, processes, and technical controls. If you’re building a SaaS that will serve EU customers and want guidance on privacy-by-design architecture, book a consultation. We’ll help you build compliance into your product from the start.

GDPR Compliance for US-Based SaaS: What You Need to Know