With the growth of the EU as an economic power, businesses in the United States are working to make headway into this lucrative commercial market. However, they are rapidly learning that the IT and data-driven practices standard in the U.S. will not stand in the GDPR-regulated European Union.
There are some basic preparations that any U.S. business must undertake even to consider getting ready for business in the EU.
GDPR and Territorial Scope
Per Article 3 of GDPR law, any company collecting information from a data subject resides in the European Union, regardless of the organization’s location.
The law defines two different types of organizations to which these laws apply to:
- Data Controllers: A data controller is an organization or individual that makes decisions and determinations about data collection. This includes making decisions about implementing IT infrastructure and business processes to collect information from a data subject within the EU. Data controllers can come in the form of traditional businesses as well as non-profit or government organizations.
- Data Processors: Data processors are organizations that handle data processing responsibilities for the controllers. These are most often third-party software or service providers.
Both parties are held under the jurisdiction of GDPR rules when collecting and processing consumer data in the EU. A controller, however, may not process user data–they only make decisions regarding that processing. As such, controllers and processors have slightly different responsibilities under GDPR. One of these, not least, is the assumption of controller accountability for third-party processors.
Furthermore, it’s quite common for a business to be both a controller and a processor. In such cases, this organization must adhere to the strict requirements of both categories.
GDPR and Data Collection Requirements
Generally speaking, however, if the organization or the data subject is within the EU, and/or the processing or collection of the data happens within the EU, then it is understood that the activity falls under GDPR.
This creates a few scenarios, depending on where that organization is:
- Data Subjects Within the EU: Any data collected from a data subject in the EU is governed by GDPR. Note that a “data subject” isn’t necessarily a citizen–if a U.S. citizen is living in the EU for work-related reasons, they are still protected.
- Data Subjects Outside of the EU: Non-EU citizens in territories outside of the EU are not covered by GDPR. However, EU citizens in other countries are protected by the concept of “extraterritoriality,” meaning that data collection from these individuals will fall under GDPR for legal purposes in the EU.
- Organizations Within the EU: A controller or processor within the EU is held accountable to GDPR laws and regulations for citizens of the EU. That is if there is any case where a controller or processor performs data activity within EU territory, that GDPR governs activity.
- Organizations Outside the EU: If an EU business operates partially outside of EU jurisdiction, data processing activities happen outside EU territory, and data processing does not include EU citizens, then it may not be subject to GDPR. For example, an EU company offering services in non-EU areas with local processors that handle data in those areas exclusively may not need to comply with GDPR.
How Can Companies in the U.S. Start Prepare for GDPR?
GDPR isn’t a law that snuck up on the business world. Many large enterprises have adjusted or at least begun the process–although that hasn’t been without its hiccups. However, these large enterprises are quick to learn, considering the steep costs of non-compliance.
With Europrivacy looking to be a significant step towards a global GDPR assessment standard, there really isn’t a reason for even small businesses operating partially in the EU to begin looking down the road on their compliance journey.
Whether you’re a large or small business, there are a few critical steps you need to take to start preparing for GDPR:
- Assess All Third-Party Relationships: Because your company may be a controller, a processor, or both, you must understand where your organization falls and how that impacts your compliance responsibilities. Furthermore, and make no mistake about this, your company will most likely be responsible for any compliance issues with your third-party processing vendors. If you’re a controller making data decisions and your processing partners break GDPR rules, you’ll be asked to account for the relationship. This means clearly understanding contracts, governance agreements, and so on.
- Audit Internal Processing: If you collect and process data from people in the EU, then you’re not getting around GDPR. Audit all your data processes that touch regulated data to assess how, or even if, they adhere to GDPR requirements. And this audit goes much deeper than you think–your company could be responsible for protecting PII in esoteric records like audit logs and internal monitoring reports.
- Audit Data Collection: The days of big-net data collection and shotgun-blast email marketing may be going the way of the dodo. Suppose you’re asking for personal information like email addresses within the EU, regardless of your company’s location. In that case, you must have disclosure and opt-in mechanisms in place. This includes even basic mechanisms you might take for granted, like collecting cookies on your public website.
- Audit Data Operations: Unlike the U.S., your ability to process information is limited by purpose and scope. That is, you cannot simply collect data and then use it as you will. You may only use it within clearly-defined and consented-to purposes. Also, you cannot freely sell or share that data with other parties without more consent. It’s best to understand how your business uses information and how that will change in an EU context.
- Understand Data Subject Rights: GDPR clearly defines data subject rights, including the right for data disclosure and the right to be forgotten. These rights are non-negotiable, as are the timeframes for which you must comply with any request. In preparing for GDPR compliance, you’ll need to assess your ability to disclose data to subjects, modify or delete that information, and perform any of these operations within 30-45 days.
Align Your Business with GDPR and Europrivacy with Lazarus Alliance
We’re peering into the future of regulations and compliance, and everywhere we see the GDPR as a major requirement for many large businesses. It’s simply not feasible to ignore what’s happening in the EU or how it impacts basic business practices like exchanging cookies or email information with EU citizens.
If you’re seeing the writing on the wall and aligning your IT and business with GDPR and Europrivacy, then we can help. We have extensive experience with GDPR compliance as well as some of the most rigorous standards and regulations from around the world.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts