GDPR Compliance for International Businesses Operating in the EU
The practical GDPR checklist: lawful bases, DPO requirements, cross-border transfer rules and the fines that apply when companies get it wrong.
Who GDPR Applies To
The General Data Protection Regulation applies to any organisation processing personal data of EU residents — regardless of where the company is established. Non-EU businesses targeting EU customers must appoint an EU representative under Article 27.
Core Obligations
Companies must identify a lawful basis for each processing activity, maintain a record of processing activities (Article 30), implement privacy by design, honour data subject rights within one month, and report breaches to supervisory authorities within 72 hours.
Data Protection Officers
A DPO is mandatory where core activities involve large-scale systematic monitoring or large-scale processing of special category data. The DPO may be an employee or external service provider but must be independent and report to top management.
Transfers and Fines
Transfers outside the EEA require an adequacy decision, Standard Contractual Clauses with a transfer impact assessment, or Binding Corporate Rules. Maximum fines reach EUR 20 million or 4% of global annual turnover, whichever is higher — and enforcement against non-EU companies has increased steadily since 2023.