GDPR Compliance for US & Global Companies

Selling into Europe? Your data practices need a paper trail.

B4Q maps your data flows, documents a lawful basis for every use of EU personal data, and builds the agreements and processes GDPR requires — before a customer's legal team flags the gap for you.

  • Data mapping & lawful basis review
  • DPA & privacy notice drafting
  • Cross-border transfer mechanisms
Lawful Basis Data Subject Rights Cross-Border Transfers Breach Notification
GDPR
EU Data Compliance
0Years of Experience
0Satisfied Clients
0Breach Notification Deadline
0Lawful Bases for Processing
Why It Matters

EU customers show up before most teams are ready.

US SaaS companies often start picking up EU customers organically, well before anyone formally reviews whether the company has a documented legal basis for processing, a Data Processing Agreement template, or a clear answer for "where is our data stored."

GDPR applies based on whose data you process, not where your company is incorporated — if you're processing EU residents' personal data, the regulation applies regardless of your US headquarters.

  • 01 Answers EU legal review proactively instead of scrambling when a deal is already in motion.
  • 02 Documents exactly why each type of data processing is lawful, not just how it's secured.
  • 03 Flags early whether you need a formal DPO or EU representative before it becomes a violation.
GDPR At a Glance

What actually applies to you

Applies toAnyone processing EU resident data
Legal basis requiredFor every processing activity
Breach notification72 hours to the supervisory authority
Maximum fine€20M or 4% of global revenue
DPO required whenLarge-scale monitoring or sensitive data
Cross-border transfersRequire an approved mechanism (e.g. SCCs)
The Framework

Six lawful bases. Every processing activity needs one.

GDPR doesn't let you process personal data just because you can — Article 6 requires a documented legal basis for each activity.

ART. 6(1)(a)

Consent

Freely given, specific, and withdrawable at any time.

ART. 6(1)(b)

Contract

Necessary to perform a contract with the data subject.

ART. 6(1)(c)

Legal Obligation

Required to comply with an applicable law.

ART. 6(1)(d)

Vital Interests

Necessary to protect someone's life.

ART. 6(1)(e)

Public Task

Performed in the public interest or official authority.

ART. 6(1)(f)

Legitimate Interests

Balanced against the individual's rights and freedoms.

Who This Applies To

Data Controller or Data Processor — the obligations differ.

Most SaaS vendors act as a processor for their customers' data, but frequently act as a controller for their own — the distinction changes what your DPA needs to say.

Decides why & how data is processed

Data Controller

You determine the purposes and means of processing — for example, data about your own employees, or marketing data you collect and use for your own purposes.

  • Bears primary responsibility for lawful basis
  • Must issue privacy notices to data subjects
  • Signs DPAs with every processor it uses
EU data subject
Data controller (you)
Direct GDPR accountability
Processes data on a controller's behalf

Data Processor

You process personal data under another company's instructions — most B2B SaaS vendors are processors for the customer data flowing through their platform.

  • Must process only per the controller's documented instructions
  • Requires a signed DPA before processing begins
  • Sub-processors need their own downstream agreements
Customer (data controller)
Data processor (you), under DPA
Sub-processors, listed & agreed
How We Work

From data mapping to a defensible privacy program.

We build a documented, defensible GDPR posture before it becomes a blocker in EU sales conversations.

01

Data Mapping

We identify what EU personal data you collect, where it's stored, and every place it flows to — including sub-processors.

02

Lawful Basis Assessment

Every processing activity gets matched to one of the six lawful bases, documented and defensible under review.

03

DPA & Privacy Notice Drafting

Data Processing Agreement and privacy notice language are built to reflect how you actually handle data, not a generic template.

04

DPO & EU Representative Review

We determine whether your processing volume formally requires a Data Protection Officer or an EU representative.

05

Cross-Border Transfer Mechanism

Standard Contractual Clauses or another approved mechanism are put in place for any data leaving the EU.

06

Breach Response & Ongoing Review

A tested breach notification process meets the 72-hour deadline, with the program reviewed as your data flows change.

Why B4Q

A privacy program your EU customers' legal teams accept.

Built to answer real diligence questions, not just check a compliance box internally.

Role-Correct Scoping

We confirm controller vs. processor status per data type before drafting anything.

Real Data Mapping

We trace actual data flows, including sub-processors, instead of assuming a generic architecture.

Cross-Border Transfer Ready

Standard Contractual Clauses and transfer documentation built for how data actually moves.

72-Hour Breach Readiness

A tested notification process built before you're racing a regulatory clock.

50+ Businesses Served

Across SaaS, fintech, and services companies expanding into EU markets.

Kept Current as You Grow

We revisit the program as new data types, vendors, or markets get added.

In Practice

How this plays out for a growing US SaaS company.

This scenario is illustrative, based on patterns we see across engagements — not a specific named client. See verified client case studies →
Scenario · GDPR

GDPR for a US SaaS Expanding to Europe

The situation

A US SaaS company starts picking up EU customers organically and realizes it's processing EU resident data without a documented legal basis, a Data Processing Agreement template, or a clear answer for "where is our data stored."

How B4Q approaches it

We map data flows, identify the applicable legal bases for processing, build the DPA and privacy notice language, and flag where a Data Protection Officer or EU representative may be formally required.

A documented, defensible GDPR posture in place proactively, rather than in reaction to a customer's legal team flagging the gap.

4%
Maximum GDPR fine as a share of global annual turnover — or €20M, whichever is greater.
SOURCE: GDPR ARTICLE 83
Questions

GDPR, answered.

Does GDPR apply to us if we're a US company?
Yes, if you process personal data belonging to people in the EU — GDPR applies based on whose data you handle, not where your company is incorporated.
What's the difference between a DPA and a privacy notice?
A Data Processing Agreement governs the relationship between a controller and processor — what the processor can and can't do with the data. A privacy notice is public-facing, telling data subjects how their data is used.
Do we need a Data Protection Officer?
A DPO is formally required for public authorities, or companies whose core activities involve large-scale monitoring or processing of sensitive data categories. We assess your processing volume and activities to determine whether this applies.
How do we legally transfer data out of the EU?
Cross-border transfers need an approved mechanism — most commonly Standard Contractual Clauses (SCCs) — documented for every transfer path, including any sub-processors outside the EU.
How is GDPR different from CCPA?
GDPR requires a documented lawful basis before processing begins, while CCPA is primarily opt-out based, centered on a consumer's right to know, delete, and stop the sale of their data. Companies operating in both the EU and California often need overlapping but distinct programs.

Ready to make EU expansion diligence-proof?

Book a free strategy call and we'll map your data flows and GDPR readiness gaps.

<