You’re a US company and heard about GDPR? What’s up with that?

GDPR, a 4-letter word that caused so much uproar in Europe that even Americans heard about it. The result? A lot of changes in internal and external policies in Europe and many companies in the US with loads of questions. What’s it all about? How do we handle this GDPR-thing? Is it even necessary for us to handle it? Who can give me some straight answers? Let us tell you something about GDPR in the paragraphs below and learn to first steps to become compliant.

An introduction to GDPR

GDPR stands for the General Data Protection Regulation. A European law that forces companies to respect the personal data of European citizens. It came into force on May 25, 2018. Privacy has always been important in the EU, but with this new regulation, it gives the data subject even more rights than before.

From now on, companies that manage data of European citizens, not only have to ask permission to gather their data, but also have to give them the right to see what information is available about them. Next to this, a data subject can ask you to adjust, delete or export all the information. Companies can only store data for a specific purpose and cannot ask for more info than they need. Once the purpose is fulfilled, the data has to be obliterated.

This is, in very short terms, what it is all about. Want to read the full text and see all details? You can get a ‘readable’ version here: or read about it on our blog.

GDPR for American companies

The little panic attack you had when you heard about GDPR the first time is completely normal. For European companies, this new regulation comes as no surprise, but we assume for US organizations it can be a shock.

As a US company, it is possible that you gather, store or manage data from European citizens because you have a European subsidiary or sell your products outside of US borders. The GDPR is applicable to every European citizen, all over the world. Whether you are an Asian, Australian or American company, you have to adjust your data gathering to GDPR when it comes to European data subjects.

Within the US, you have 2 options as a company:

  • Stay far away from EU data subjects so you don’t have any issues whatsoever
  • Manage data from both EU and non-EU citizens and adapt your privacy-regulation to GDPR

The best and safest option would be the last one, because then you are GDPR-compliant and, on top of that, also respect the privacy of non-EU citizens. In the case you would like to be compliant, it is not enough to just follow all GDPR rules and adapt your internal and external way of working. As a US company, you should also get certified for the US Privacy Shield (, as it is for the moment the only way you can prove to EU companies and citizens that you comply with the privacy regulations.

At the same time, you also have to keep track of your sales and marketing of course. Too rigid is never good and won’t help you nor your clients. Check out how to maintain the balance between marketing and GDPR.

Too much to think about?

Above we have tried to keep it very simple and short, but sadly, it is all a bit more complex than this. Most companies in Europe have been working more than 6 months on this and are still not completely on track. As we are helping our EU clients out, we can also bring valuable information to you, our US contacts. Thanks to our Headquarters in Europe, we have a lot of experience with GDPR, which turns us practically into GDPR-experts. We are the perfect partner to help your company adapt its privacy workings to the new regulation without losing track of your online marketing and sales needs.


Don't miss out

The Reference has its office in the heart of Manhattan.
“I want to wake up in that city that never sleeps, and find I'm king of the hill, top of the list, head of the heap” – Frank Sinatra