GDPR ENFORCEMENT IS ACTIVE — INCLUDING AGAINST US-BASED CONTROLLERS

GDPR Compliance: Pass the Supervisory Authority Inquiry With Evidence on File.

The General Data Protection Regulation has been enforceable since May 25, 2018 — and EU supervisory authorities increasingly target US-based controllers handling EU resident data. Maximum fines run 4% of global annual turnover or €20M, whichever is higher. We translate the requirements in a 30-minute call. If your current IT can already produce the Article 30 records, you don’t need us.

Updated May 3, 2026

Does GDPR apply to your US-based business?

GDPR Article 3 establishes territorial scope. The regulation applies to controllers and processors established in the EU regardless of where processing occurs. It also applies to non-EU controllers that offer goods or services to EU data subjects (paid or free) or that monitor EU data subjects’ behavior within the EU. A US-based SaaS firm with EU customers, a CT manufacturer with EU resellers, or an MA marketing firm tracking EU website visitors is likely in scope.

The “offering goods or services” test is operational, not structural. Accepting EU currency on a checkout, providing translated marketing in EU languages, or shipping to EU addresses each suggests intent to offer in the EU — triggering GDPR. The European Data Protection Board guidance (Guidelines 3/2018) is the operative interpretive framework. Most US firms that have any EU commercial activity meet the test.

The “monitoring behavior” test catches firms with no direct EU commercial activity but with EU-resident data subjects in their analytics. A US firm using Google Analytics on a public website that EU residents visit may be in scope. The 2020 Schrems II decision and subsequent CJEU rulings substantially constrained transatlantic data transfers; the operational impact remains active in 2026.

EU representative requirement (Article 27) applies to non-EU controllers in scope. The controller must designate a representative in the EU — an entity authorized to receive communications from supervisory authorities and data subjects. Firms in scope without a representative are technically in violation regardless of other compliance work.

What does the EU supervisory authority actually inspect?

The supervisory authority of the EU member state where the data subject resides (or where the controller is established, depending on the case) inspects six artifacts during an Article 58 investigation: the Article 30 records of processing activities, the data protection impact assessments for high-risk processing, the controller-processor agreements with all processors, the privacy notice with all required Article 13/14 elements, the consent evidence (where consent is the legal basis), and the security measures evidence per Article 32.

Article 30 records are the master inventory. They document categories of data subjects, categories of personal data, purposes of processing, recipients (including transfers outside the EU/EEA), and retention schedules. The records must be in writing, kept current, and produced to the supervisory authority on request. Most US-based controllers caught in inquiries have not maintained Article 30 records.

Data protection impact assessments (DPIAs) are required for high-risk processing — large-scale processing of sensitive data, large-scale monitoring of public areas, profiling with significant effects on data subjects, and processing types specifically listed by supervisory authority guidance. The DPIA documents the processing, the necessity and proportionality, the risks to data subjects, and the safeguards.

Compliance is a snapshot, not a destination. A GDPR program assembled in 2019 for the regulation’s effective date does not protect a firm in 2026 — guidance has evolved (Schrems II, EU-US Data Privacy Framework, AI Act intersections), data flows have changed, and processors have changed. The honest path is current records, not historical compliance.

GDPR compliance services — IT professionals

What happens if a US-based firm fails an EU inquiry?

GDPR penalty tiers are tied to firm-wide global revenue, not just EU operations. The higher tier (Article 83(5)) applies up to €20 million or 4% of global annual turnover, whichever is greater. The lower tier (Article 83(4)) applies up to €10 million or 2% of global annual turnover. Most enforcement actions in 2024-2025 against US controllers fell in the higher tier given the violations involved.

The path is mechanical for most US-based firms. EU data subject complains to their supervisory authority. The authority opens an Article 58 investigation and issues a request for information. The US controller produces (or fails to produce) Article 30 records, DPIAs, processor agreements, and security evidence. Inadequate response triggers either binding decision under Article 60-66 (one-stop-shop) or direct enforcement by the lead supervisory authority.

Enforcement against US controllers without EU establishment is the operational complication. The supervisory authority can issue a binding decision; collection across borders requires either EU asset attachment (where the US firm has EU operations) or voluntary compliance. The 2023 Meta enforcement and subsequent EU-US Data Privacy Framework arrangements demonstrate that enforcement is increasingly viable.

The compounding consequence is commercial. EU enterprise customers and EU public-sector procurement increasingly require GDPR-compliant vendor relationships as a contract condition. A US controller without operational GDPR compliance loses EU market access. For B2B SaaS firms with EU pipelines, the GDPR posture is the EU commercial license.

How does Triton get your firm GDPR-ready?

We deploy Sophos Endpoint XDR, Microsoft Defender for Endpoint, Sophos Firewall, AWS-backed infrastructure with documented EU-data-residency configuration where required, and continuous monitoring tooling. We then author the Article 30 records of processing activities, the DPIAs for high-risk processing, the controller-processor agreements with all processors, the GDPR-compliant privacy notice, and the data subject rights request workflow.

The technical work supports Article 32 (security of processing) requirements. GDPR requires “appropriate technical and organisational measures” — the standard defaults to industry norms when supervisory authorities evaluate. Sophos + Microsoft Defender + AWS-backed infrastructure with encryption at rest and in transit is the industry baseline; firms without those controls argue uphill against authority investigators citing what reasonable comparators implement.

We deploy on AWS because downtime is not an option. AWS’ EU regions provide GDPR-compliant data residency where the controller chooses to keep EU data in EU infrastructure. AWS support responds with enterprise urgency — important when GDPR breach notification compresses to 72 hours from awareness.

Our typical GDPR readiness engagement delivers Article 30 records, DPIA framework, processor agreements, privacy notice, and rights-request workflow inside 90 days. We coordinate with EU privacy counsel for the EU representative designation and high-risk DPIA legal review — counsel’s scope is the EU-facing legal architecture; ours is the technical and operational implementation.

GDPR compliance services — IT expert

What evidence does the EU supervisory authority actually want on file?

Six artifact categories mapped to specific GDPR articles. Each is required in writing and producible on supervisory authority request.

Why start now? Because supervisory authority inquiries don't wait for readiness.

EU supervisory authority inquiries arrive within weeks of complaints. Article 30 records either exist with current entries or they don’t. DPIAs either documented the high-risk processing or they didn’t. Building the evidence file under inquiry pressure costs 3-5x what proactive readiness costs and produces weaker documentation.

US firms with EU pipelines that we have helped through GDPR readiness started 90-120 days before any EU contract closed. The firms that discovered GDPR exposure during a supervisory authority inquiry paid for emergency EU privacy counsel, technical remediation, and rushed Article 30 authoring simultaneously — under enforcement pressure with multi-month timelines.

Frequently Asked Questions

Yes if you offer goods or services to EU data subjects, or if you monitor their behavior. The territorial scope is operational, not structural. Most US firms with EU customers, EU website traffic with analytics, or EU-currency checkout meet the test. The European Data Protection Board’s Guidelines 3/2018 is the operative interpretation.

A written inventory of processing activities required of all controllers and processors (with limited exceptions for very small organizations). The record documents categories of data subjects, categories of personal data, purposes of processing, recipients (including non-EU transfers), retention schedules, and security measures. It is the master document supervisory authorities request first during an inquiry.

Article 37 mandates a DPO for: public authorities, organizations whose core activities require regular and systematic large-scale monitoring of data subjects, and organizations whose core activities involve large-scale processing of sensitive data. Many US firms with EU pipelines designate a DPO voluntarily as a vendor-credibility signal even when not strictly required.

Article 27 requires non-EU controllers in GDPR scope (with limited exceptions) to designate an EU representative — an entity established in an EU member state authorized to receive supervisory authority and data subject communications. The representative is contractual; specialized providers offer EU representation as a service for $200-1,000/month depending on transaction volume.

The EU-US Data Privacy Framework (effective July 2023) provides a self-certification mechanism allowing US-based firms to receive EU personal data without Standard Contractual Clauses. Self-certification with the US Department of Commerce is required. The Framework remains under legal challenge; firms should monitor developments and maintain SCC fallback in transfer architecture.

Total first-year investment for a 25-100 employee SaaS firm with EU pipeline typically runs $40,000 to $90,000. The split: Article 30 records and DPIA framework ($10-20K), processor agreements review ($5-12K), privacy notice and rights workflow ($6-15K), technical security stack ($12-20K), EU representative service ($3-12K annual), EU privacy counsel ($4-11K).

Structurally similar but with different applicability. State laws cover state residents; GDPR covers EU data subjects. The underlying compliance architecture (rights workflows, data mapping, vendor agreements, security measures) overlaps substantially. Multi-jurisdictional firms typically operate a unified privacy program with state- and EU-specific workflow branches.

No. Dark web monitoring is a notification service, not an Article 32 security measure. Article 32 requires “appropriate technical and organisational measures” — the operational interpretation defaults to industry norms (encryption, access control, audit logging, incident response). We do not bundle dark web monitoring and it does not appear in any GDPR evidence list.

Founded in 2001

25 Years of IT Expertise

Worcester · Providence · Hartford

Regional Offices

Ranked 84th Percentile Nationally

National Benchmark

Under 10 Minute Response

Third-Party Verified

HIPAA · CMMC · SOC 2 · PCI

Multi-Framework Compliance

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across Connecticut, Massachusetts, New York, Rhode Island, and beyond. Contact our team today to start a conversation about your technology environment.

Contact Triton Technologies
Triton Technologies support engineer at workstation