Do US Companies Have to Comply With GDPR?

Yes, US companies that process the personal data of individuals in the EU and UK are required to comply with the General Data Protection Regulation (GDPR). According to Article 3 of the GDPR, if a US-based company collects personal data of individuals located in the EU or UK for the purpose of offering goods or services, regardless of whether a payment is required, or if it engages in behavioural monitoring of individuals within the EU or UK, such as internet tracking through cookies for targeted advertising, then it falls within the scope of the GDPR. 

This means that US companies with an online presence, even if they have no physical presence in the EU, must adhere to GDPR compliance requirements. Failure to comply with the GDPR can result in severe penalties, including significant fines of up to 4% of the company's annual global turnover or €20 million, whichever is higher, as well as reputational damage and potential legal actions by affected individuals. 

If the UK Data Protection Act or UK GDPR is breached the ICO can penalise companies for data protection breaches using various tools such as assessment notices for compulsory audits, warnings for potential breaches, reprimands for minor breaches, enforcement notices to mandate specific compliance actions, and penalty notices imposing fines up to £17.5 million or 4% of annual worldwide turnover for serious breaches. 

Take, for instance, a scenario where a US retailer markets and sells goods to customers in the UK through its website. In this setup, the processing of customer data falls under the jurisdiction of UK GDPR. While the retailer uses a US-based processor to manage its website operations, it relies on a UK logistics company to handle product deliveries.

When UK consumers transmit their personal data to the US retailer, there are no restrictions on this data transfer, as these consumers are exempt from UK GDPR regulations.

However, a restricted transfer occurs when the US retailer shares data with its US-based processor. Even if the data originates directly from UK customers, the transfer is subject to UK GDPR governance. This arrangement means that the US retailer is responsible for initiating and approving the data transfer, obliging its processor to comply with UK GDPR standards.