GDPR compliance guide for online businesses outside of the European Union (Part 1 of 5)

Compliance is easier than you think and following data protection principles will help you build trust while bringing purpose to your sales, marketing, and operations functions.

You have to comply with the GDPR regardless of your location if you transact with EU residents. The GDPR applies equally to businesses of all sizes and compliance can be disproportionately costly to smaller businesses. We wrote this guide to relieve some of that burden and help you frame the activities to improve your business functions while you check the boxes on GDPR compliance.

This article is part 1 of 5 in our guide for online businesses outside of the European Union to comply with the GDPR. We will drill down into the key requirements and describe how you can use this compliance exercise as an opportunity to redefine your business functions.

Subscribe to our newsletter to receive new articles directly in your inbox.

If you're working on a non-profit COVID-19 project for social good, please write to for pro bono EU representation services. The European Data Protection Board (EDPB) and the UK Information Commissioner's Office (ICO) have both issued guidance on data protection considerations to keep in mind during our response to this crisis. You can view the EDPB's statement here, the ICO's guidance for healthcare controllers here, and community groups here.

If you're reading this, you likely realize that the General Data Protection Regulation (GDPR) requires data controllers and processors outside of the European Union (EU) to appoint a representative in the EU. More generally, you're likely wondering whether you've done enough to limit the financial and reputational risk to your business from non-compliance with the GDPR.

Whether you develop apps, run an e-commerce store, or conduct your business online another way, GDPR is probably not new to you as an acronym. Still, it's a regulation that only a handful appear to have under control.

We can safely assume online activity will continue to increase as a result of COVID-19, and we have already seen an uptick in cyberattacks by malicious actors looking to take advantage of this crisis and increased online activity. For those new to the world of online business, this guide can serve as a primer to data protection principles overhauled by the GDPR in 2018. For those already familiar with the GDPR, I hope you can still gain a fresh perspective to address areas you may have neglected in the past.

In this guide, we'll go through the GDPR rule text and additional guidance by EU authorities in the context of what the GDPR broadly aims to achieve. We'll also provide you with resources to not only comply with Article 27 but describe the steps you can take afterward to bring your compliance program under control while using it as a tool to improve your business processes.

In general, your requirements will be more complicated than what we can cover in this guide if you employ over 250 individuals or regularly process special categories of data (e.g., health). You can write to me or schedule time to discuss your specific situation in more detail.

Three steps to comply

In short, if you run an online business that is available to residents of the EU, you most likely need to appoint an EU representative, which you can instantly do here. You then need to update your privacy policy and implement data protection principles more broadly to achieve full compliance with the GDPR. Subsequent parts of this series will provide additional details about each step.

Appoint your EU representative

You need to appoint an EU representative if you have a:

  • consumer application that is available for download in the EU,

  • business application where your users collect data from individuals in the EU,

  • e-commerce store open to the EU, or

  • website that collects analytics, email addresses, or other personal information from data subjects in the EU.

If you don't have an EU representative, we offer an instant service to help you comply with this requirement.

Update your privacy policy

Once you've executed an agreement with your EU representative, you must update your privacy policy with their contact information. Failure to notify data subjects in the EU of your EU representative is considered a breach of your transparency obligations per the GDPR.

Every EU data subject has the right to complain to a supervisory authority. Since non-compliance with requirements related to transparency and data subject rights are easy to detect on your website and privacy policy, these are the areas that expose you the most and probably deserve your attention first.

If you don't have a privacy policy or want to double-check its GDPR readiness, review the privacy policy template we created specifically for businesses outside of the EU.

Implement data protection principles

At this point, all you have left to do is to provide a copy of your records of processing activities (ROPA) to your EU representative. Data protection authorities in the EU may request your ROPA at any time, so you must keep this information up-to-date.

You can think of the ROPA as an X-ray of the personal data processing conducted by your organization. In terms of the format and level of detail, we follow guidance from authorities such as the Information Commissioner's Office in the United Kingdom and Commission nationale de l'informatique et des libertés in France.

While these may appear to be nuisance "check-the-box" activities, it's an excellent opportunity to evaluate the purpose of your data processing and bring it in line with data protection principles. At the end of the day, what you do for sales, marketing, operations, and customer support can all be thought of as data processes. Businesses that design their data processes in light of data protection principles will be in a better position to be trusted by their customers. If approached correctly, you can use this compliance exercise to explore the intent of your data flows and improve your business functions.


While I've written this article to be as helpful as possible, it cannot and does not contain legal advice. The legal information is provided for general informational and educational purposes only and is not a substitute for professional advice. Accordingly, before taking any actions based upon such information, I encourage you to consult with the appropriate professionals. We do not provide any kind of legal advice. The use or reliance of any information contained on this site is solely at your own risk.

If you require legal assistance, I am happy to refer you to an attorney specializing in privacy laws and regulations.