Does GDPR apply to US companies?

Yes, in many cases. Under Art. 3, GDPR applies to non-EU businesses — including US companies — that offer goods or services to people in the EU or monitor their behavior, regardless of where the company is located. A US SaaS firm with EU users or an online store shipping to Europe is typically in scope, and may also need an EU representative under Art. 27.

Is there a GDPR certification that makes you compliant?

No. GDPR has no mandatory certificate or attestation body. While Art. 42 allows for voluntary certification mechanisms, they are not widely established and do not by themselves confer compliance. You demonstrate compliance through the accountability principle (Art. 5(2)) — by maintaining and being able to show your records, policies, and decisions.

What is the GDPR 72-hour breach notification rule?

Under Art. 33, when a personal-data breach is likely to result in a risk to individuals, the controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the risk to individuals is high, affected people must also be informed (Art. 34). A documented breach-response procedure is what makes meeting that window realistic.

What does Article 30 (Records of Processing Activities) require?

Art. 30 requires most organizations to maintain a written record of their processing activities — covering purposes, categories of data and data subjects, recipients, international transfers, retention periods, and security measures. (There is a narrow exemption for some organizations under 250 employees, but it rarely applies in full.) The RoPA is core accountability evidence and is usually the first thing a supervisory authority requests, which is why a pre-structured RoPA workbook saves significant time.

Will buying GDPR templates make my business compliant on its own?

No. Templates accelerate the documentation, but GDPR compliance comes from how you actually process personal data and your ability to demonstrate it. You must tailor the records to your real processing, implement the controls, and keep evidence current. The templates give you the policies, RoPA, and procedures a supervisory authority, customer, or auditor expects — the longest part to prepare — but operating them is what achieves compliance.

GDPR Compliance for Small Businesses: A Practical Guide

The GDPR (General Data Protection Regulation, EU Regulation 2016/679, applicable since 25 May 2018) governs how organizations handle the personal data of people in the EU. There is no "GDPR certificate" — compliance rests on the accountability principle (Art. 5(2)), meaning you must be able to show your records, policies, and decisions on request. You get there by documenting your processing (privacy notices, a Records of Processing Activities, a DSAR procedure, breach response, and more) and then operating those controls in practice.

What is GDPR?

The GDPR is the European Union's comprehensive data-protection regulation, directly applicable across all EU/EEA member states since 25 May 2018, with a near-identical UK GDPR (read with the Data Protection Act 2018) post-Brexit. It requires every processing activity to rest on one of six lawful bases (Art. 6), grants individuals enforceable rights (access, erasure, portability, objection, and more), and obliges most organizations to maintain Records of Processing Activities (Art. 30 — with a narrow exemption for some organizations under 250 employees), conduct Data Protection Impact Assessments for high-risk processing (Art. 35), and report qualifying personal-data breaches to a supervisory authority within 72 hours (Art. 33). Unlike a framework you get "certified" against, GDPR has no mandatory attestation — enforcement is by national supervisory authorities, and fines can reach the higher of €20 million or 4% of total worldwide annual turnover (Art. 83). Compliance is therefore about evidence and operating discipline, not a one-time pass.

Who needs it?

GDPR is not only an EU-company concern. Under its extraterritorial scope (Art. 3), it applies to any organization — including US, UK, and other non-EU businesses — that offers goods or services to people in the EU or monitors their behavior, regardless of where the business is located. That captures SaaS startups with EU users, e-commerce stores shipping to Europe, agencies handling EU client data, and any company running EU-targeted marketing or analytics. Non-EU controllers without an EU establishment may also need to appoint an EU representative (Art. 27), and any business handling EU personal data should expect GDPR questions in customer due diligence and vendor security reviews.

What does GDPR readiness cost?

Option	Typical cost	Time to ready
ComplianceDocs GDPR Compliance Pack	$79 one-time	Documentation tailored in days
Privacy consultant / law firm	~$1,250-2,750+ (often more for bespoke RoPA & DPIAs)	3-8 weeks
Privacy management platform (OneTrust-style)	~$7,000-30,000+/yr	Weeks to months to configure
Build documentation in-house from scratch	Staff time (often 40-80+ hours)	4-10 weeks

Typical timeline

1. Map your data and confirm scope — Identify what personal data you process, where it flows, and whether Art. 3 brings you in scope. Determine if you are a controller, processor, or both, and assess whether you need a DPO (Art. 37) or an EU representative (Art. 27).
2. Build your Records of Processing Activities (Art. 30) — Document each processing activity: purpose, lawful basis (Art. 6), data categories, recipients, retention, and international transfers. The RoPA becomes the backbone of your accountability evidence.
3. Publish privacy notices and stand up data-subject rights — Issue compliant customer and employee privacy notices, and implement a DSAR procedure so you can answer access, erasure, and other requests within the statutory one-month window.
4. Address risk, transfers, and processors — Run DPIAs for high-risk processing (Art. 35), put SCCs or another Chapter V safeguard (e.g., the EU-US Data Privacy Framework or an adequacy decision) behind international transfers, and sign Art. 28 data processing agreements with vendors.
5. Prepare breach response and operate the controls — Adopt a breach-response procedure that can detect, assess, and notify the supervisory authority within 72 hours (Art. 33). Train staff and run the program day to day — accountability is proven by operation, not paperwork alone.
6. Review and maintain — Keep the RoPA, notices, and registers current; reassess on new products, vendors, or regulatory change; and retain evidence so you can demonstrate compliance to a supervisory authority, customer, or auditor at any time.

How editable templates speed this up

Most of the GDPR effort is documentation and records — exactly what a supervisory authority, enterprise customer, or auditor asks to see, and exactly what takes longest to write from a blank page. ComplianceDocs' GDPR Compliance Pack ($79) provides 14 editable Microsoft Word policies and procedures — data protection policy, customer and employee privacy notices, a DSAR procedure, lawful-basis assessment, consent management policy, DPIA procedure, breach-response procedure, processor/vendor management, international-transfer policy, retention schedule, cookies policy, and a DPO/privacy-roles assessment — plus a pre-structured Records of Processing Activities (Art. 30) workbook and an audit-evidence checklist in Excel. The documents are written for EU GDPR and flag where UK GDPR and the Data Protection Act 2018 differ, so businesses selling into both can adapt quickly. They accelerate the paperwork; you still tailor the records to your actual processing and operate the controls — that operating reality, not the templates, is what makes you compliant.

Recommended GDPR toolkits

EU GDPR

GDPR Compliance Pack for Small Business

14 editable GDPR documents — privacy notices, DSAR procedure, DPIA, breach response, processor DPA checklist — plus a pre-filled Records of Processing Activities (Art. 30) workbook and evidence checklist.

$7930% off with codeView toolkit

SOC 2 + AI Governance

Startup Trust Pack — SOC 2 + AI Governance

25 editable documents bundling the SOC 2 Core policy set with the full AI Governance pack — answer enterprise security questionnaires AND the new AI-policy questions in one purchase.

$8930% off with codeView toolkit

Compare GDPR with other frameworks

HIPAA vs GDPR: Key Differences and Which One You Need

Frequently asked questions

Does GDPR apply to US companies?: Yes, in many cases. Under Art. 3, GDPR applies to non-EU businesses — including US companies — that offer goods or services to people in the EU or monitor their behavior, regardless of where the company is located. A US SaaS firm with EU users or an online store shipping to Europe is typically in scope, and may also need an EU representative under Art. 27.
Is there a GDPR certification that makes you compliant?: No. GDPR has no mandatory certificate or attestation body. While Art. 42 allows for voluntary certification mechanisms, they are not widely established and do not by themselves confer compliance. You demonstrate compliance through the accountability principle (Art. 5(2)) — by maintaining and being able to show your records, policies, and decisions.
What is the GDPR 72-hour breach notification rule?: Under Art. 33, when a personal-data breach is likely to result in a risk to individuals, the controller must notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. If the risk to individuals is high, affected people must also be informed (Art. 34). A documented breach-response procedure is what makes meeting that window realistic.
What does Article 30 (Records of Processing Activities) require?: Art. 30 requires most organizations to maintain a written record of their processing activities — covering purposes, categories of data and data subjects, recipients, international transfers, retention periods, and security measures. (There is a narrow exemption for some organizations under 250 employees, but it rarely applies in full.) The RoPA is core accountability evidence and is usually the first thing a supervisory authority requests, which is why a pre-structured RoPA workbook saves significant time.
Will buying GDPR templates make my business compliant on its own?: No. Templates accelerate the documentation, but GDPR compliance comes from how you actually process personal data and your ability to demonstrate it. You must tailor the records to your real processing, implement the controls, and keep evidence current. The templates give you the policies, RoPA, and procedures a supervisory authority, customer, or auditor expects — the longest part to prepare — but operating them is what achieves compliance.