Who needs GDPR compliance: Key criteria, common myths, and next steps

When the General Data Protection Regulation (GDPR) came into force back in 2018, it sent ripples across the business world — and not just in Europe. Suddenly, companies everywhere were scrambling to update privacy policies, review data processing workflows, and ask (sometimes awkwardly), “Wait, does this apply to us too?”

Years later, that question still lingers. Especially for businesses outside the EU, the line between “must comply” and “nice to have” can feel fuzzy. But here's the thing: GDPR wasn't designed just for one corner of the map. It was built to protect the personal data of individuals in the European Union (EU) and the European Economic Area (EEA) — no matter where their data travels, and wherever businesses offer goods or services to, or monitor the behavior of, individuals in these regions

So whether you're a SaaS startup in San Francisco, a healthcare provider in Singapore, or a retailer in Berlin, understanding who needs GDPR compliance — and why — isn't just a legal checkbox. It's a business-critical decision.

Let's break it down. Who really needs to comply? Who should care anyway? And what happens if you don't?

What does GDPR compliance mean?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how the personal data of individuals in the European Union (EU) and European Economic Area (EEA) is collected, used, stored, and shared.

GDPR aims to strengthen individuals' privacy rights and establish consistent data protection standards across member states. It applies not only to organizations operating within the EU/EEA but also to those outside the region that handle data of EU/EEA residents.

GDPR compliance refers to an organization's ability to comply with these requirements, ensuring that personal data is processed lawfully, transparently, and securely.

To comply, organizations must implement a range of measures designed to protect individual privacy and uphold data rights. This includes:

• Obtaining valid consent before collecting personal data
• Limiting data collection to what is necessary for a specific purpose
• Clearly communicating how personal data will be used
• Enabling data subject rights, such as access, correction, and deletion
• Implementing appropriate technical and organizational safeguards to protect data
• Maintaining documentation and demonstrating accountability for data processing activities

Who must comply with GDPR?

GDPR has an intentionally broad scope. It doesn't just apply to organizations based in the EU or EEA — it extends to any entity that processes the personal data of individuals located in these regions, regardless of where the organization itself is established.

Here's a breakdown of who falls under the regulation's scope:

1. Organizations established in the EU/EEA

Any business or entity with a physical presence in the EU or EEA — whether it's a main office, a branch, or a representative — is required to comply with GDPR. This applies even if the actual data processing takes place outside the region.

2. Non-EU/EEA organizations that offer goods or services to individuals in the EU/EEA

If your business is based outside Europe but intentionally targets individuals in the EU/EEA, GDPR still applies. This includes offering products in local languages, accepting payment in euros, or explicitly marketing to customers in EU countries.

3. Organizations that monitor the behavior of individuals in the EU/EEA

Businesses that track user behavior, such as through analytics, advertising, or profiling, are also within the scope of GDPR — even if they have no physical presence in the EU. This typically includes websites using cookies or other tracking technologies that gather data from EU/EEA visitors.

Who should comply with GDPR — even if not legally required?

While GDPR sets clear legal boundaries for which organizations must comply, there is a growing category of businesses that are not strictly obligated to comply, but still choose to align with its principles — and for good reason.

Here are some scenarios where GDPR compliance makes strategic sense:

1. Startups planning to expand into the EU/EEA

If European expansion is on your roadmap, aligning with GDPR early can help avoid delays down the line. It also signals maturity and forward-thinking to potential investors and partners.

2. Vendors and service providers working with EU/EEA clients

Many GDPR-regulated companies require their third-party vendors — including SaaS providers, cloud platforms, and marketing agencies — to demonstrate GDPR-aligned practices. Being able to show this can give you a competitive edge during procurement processes.

3. Companies processing sensitive personal data globally

Even if your users are outside the EU/EEA, aligning with GDPR can enhance your overall privacy posture. This is especially relevant if you handle health, financial, biometric, or children's data.

4. Businesses aiming for certifications like ISO/IEC 27701

If you're working towards privacy-focused standards such as ISO/IEC 27701, GDPR compliance often overlaps with key requirements. It can serve as a solid foundation for your broader privacy program.

5. Privacy-conscious organizations

In a climate where data breaches and privacy concerns are top of mind for consumers, adopting GDPR-like practices can strengthen trust — even in regions without equivalent laws.

What are the consequences of non-compliance with GDPR?

Failing to comply with GDPR is not just a legal oversight — it can have far-reaching consequences for your business. The regulation is backed by strong enforcement mechanisms, and data protection authorities across the EU and EEA have shown they're willing to act when companies fall short.

Here are the key risks to be aware of:

1. Financial penalties

GDPR fines can go up to €20 million — or 4% of a company's global annual revenue, whichever is higher. Lesser violations may still attract penalties of up to €10 million or 2% of global turnover.

Regulators consider factors like the severity of the breach, whether it was intentional, how many individuals were affected, and how the organization responded. Fines can also be paired with other corrective measures, such as orders to delete data or halt processing activities.

Recent examples:

• LinkedIn Ireland was fined €310 million for using personal data in targeted advertising without proper legal basis.
  
• Clearview AI faced a €30.5 million fine for unauthorized collection and use of biometric data.
  

2. Reputational damage

Trust is hard-won and easily lost. A public enforcement action — especially one that involves mishandling user data — can quickly erode customer trust, draw negative media attention, and trigger investor concerns.

Even if a fine isn't issued, being under investigation can affect customer relationships, sales cycles, and partnerships — especially with privacy-conscious clients in Europe.

3. Operational and legal disruptions

Non-compliance can lead to enforced changes in how you collect, store, and process data — sometimes under tight deadlines. You could be ordered to stop processing EU users' data altogether, freeze expansion plans, or renegotiate vendor contracts.

Worse, recurring violations or failure to cooperate with regulators can open the door to legal challenges, civil lawsuits, or even criminal investigations under local laws.

4. Long-term loss of business opportunities

In many sectors — especially SaaS, healthcare, and finance — GDPR compliance isn't just about avoiding penalties. It's often a prerequisite for winning business in the EU or working with privacy-forward enterprises globally.

Common misconceptions about GDPR compliance

Despite being in effect since 2018, GDPR is still widely misunderstood — especially by businesses outside the EU and EEA. These misconceptions can lead to false confidence, risky shortcuts, or missed opportunities to strengthen privacy practices.

Here are some of the most common myths, and the facts behind them:

1. “We're not based in the EU, so GDPR doesn't apply to us”

This is one of the most persistent misconceptions. In reality, GDPR applies based on where the data subjects are located — not where your business is based. If you process the personal data of individuals in the EU or EEA — whether through sales, marketing, or analytics — the regulation likely applies.

2. “GDPR only applies to large companies”

GDPR makes no distinction between large enterprises and small startups. What matters is whether you process the personal data of EU/EEA residents. That said, the regulation does allow for some flexibility in how smaller organizations implement compliance measures, depending on risk and scale.

3. “Compliance is just about cookie banners and privacy policies”

While cookie notices and privacy policies are visible signs of GDPR compliance, they're just the tip of the iceberg. Behind the scenes, GDPR expects robust processes — from data protection impact assessments to breach response plans, lawful processing bases, and continuous documentation.

4. “Once we're compliant, we're done”

GDPR compliance is not a one-time event. It requires ongoing effort, including regular reviews, employee training, security updates, and adapting to regulatory guidance or changes in your processing activities.

5. “If we use third-party tools, the responsibility lies with them”

Even if you rely on vendors or cloud platforms to process data, you're still accountable for ensuring that those processors are compliant. GDPR expects you to assess your vendors, sign appropriate data processing agreements, and monitor their practices.

What are the steps to get GDPR compliant — and how can Scrut help?

Getting GDPR compliant doesn't happen overnight, but it also doesn't have to be a black box. The process becomes much more manageable when broken down into specific, actionable steps. Here's how to approach it — and where Scrut can support you along the way.

1. Map your data flows

Start by identifying what personal data you collect, where it's stored, how it's used, and who has access to it. This foundational step is essential for understanding your exposure and obligations under GDPR.

With automated data mapping and over 70 integrations across your tech stack, Scrut gives you a real-time view of where personal data resides and flows.

2. Identify your legal basis for processing

Every instance of data processing under GDPR needs a lawful basis — such as consent, contractual necessity, or legitimate interest. This must be clearly documented.

Scrut offers over 1400 pre-built templates and policy guidance to help you define, justify, and maintain records of your legal bases for processing.

3. Review your privacy policy and consent practices

Ensure your privacy notices are clear, transparent, and accessible. If you rely on consent, it must be freely given, specific, informed, and easy to withdraw.

Scrut provides customizable templates for privacy policies and makes it easy to track and document consent-related workflows.

4. Build workflows for data subject rights

GDPR grants individuals rights like access, correction, erasure, and data portability. Organizations must respond to these requests within specific timeframes.

Scrut helps you establish repeatable, audit-ready workflows for handling data subject access requests (DSARs) and tracking response timelines.

5. Implement technical and organizational safeguards

You'll need appropriate security measures to protect personal data — from encryption and access controls to breach response mechanisms.

Scrut's control library includes GDPR-mapped technical safeguards, and our continuous control monitoring keeps your security posture aligned with evolving threats.

6. Assess the need for a Data Protection Officer (DPO)

If your business processes large volumes of sensitive data or conducts systematic monitoring, you may be required to appoint a DPO.

Scrut's platform highlights compliance obligations like DPO requirements based on your data processing activities, so nothing falls through the cracks.

7. Evaluate your third-party vendors

You're accountable for the data processors you work with. That means assessing their compliance, signing appropriate agreements, and monitoring their practices.

With built-in vendor risk assessments and automated third-party tracking, Scrut simplifies processor due diligence and documentation.

8. Maintain documentation and demonstrate compliance

GDPR expects organizations to show their work — through policies, assessments, training logs, and ongoing reviews.

Scrut serves as your central compliance hub, offering audit-ready documentation, version control, and automated evidence collection.

Looking to simplify your GDPR compliance journey?

With Scrut, you get direct access to GDPR experts, actionable dashboards, and tailored training modules to empower your team — all within a platform built to support end-to-end compliance.

FAQs

Do I need to comply with GDPR?

If you answer yes to any of the following, GDPR likely applies to your business:

• Do you offer goods or services to individuals in the EU or EEA?
• Do you monitor the behavior of users in the EU or EEA (e.g. via analytics or tracking)?
• Do you have employees, customers, or partners based in the EU or EEA?
• Are you a vendor or service provider to GDPR-regulated organizations?
• Are you planning to expand into the EU or EEA market soon?

If the answer is yes to even one, GDPR compliance is not optional.

What counts as ‘personal data' under GDPR?

Personal data includes any information that can directly or indirectly identify an individual — such as names, email addresses, IP addresses, location data, and even pseudonymized data when combined with other identifiers.

Is GDPR compliance mandatory for all third-party vendors?

If you're processing data on behalf of a GDPR-regulated company (as a data processor), you must implement appropriate safeguards and sign data processing agreements. Many businesses require GDPR-aligned practices from all vendors, even if not explicitly mandated.

Is there an official GDPR certification?

Not at the EU-wide level — yet. While Article 42 of the GDPR outlines the possibility of certification mechanisms, there is currently no standardized, EU-recognized certification. Some private schemes or local supervisory authorities may offer GDPR-aligned certifications, but these are not equivalent to official approval.

We're already ISO 27001 certified. Does that mean we're GDPR compliant?

Not necessarily. While ISO 27001 strengthens your security posture and overlaps with some GDPR requirements, it doesn't cover everything — such as data subject rights, lawful processing bases, or consent. GDPR has distinct obligations that need to be addressed directly.

We only have a few users in the EU. Do we still need to comply?

Yes. GDPR does not set a minimum threshold for user volume. If you process the personal data of even a handful of individuals in the EU/EEA, you're expected to comply.

‍