GDPR Compliance for Non-EU Businesses: What Pakistani, UK, and US Companies Must Know

The General Data Protection Regulation, commonly known as the GDPR, came into force across the European Union on 25 May 2018. In the years since, it has fundamentally changed how personal data is collected, processed, and transferred around the world. But the GDPR is not just a European regulation. Its extraterritorial reach means that businesses in Pakistan, the United Kingdom, the United States, and every other non-EU country may fall within its scope if they process the personal data of individuals located in the EU. For the many Pakistani IT companies providing outsourced services to European clients, for UK businesses that retained GDPR-equivalent obligations under the UK Data Protection Act 2018, and for US e-commerce companies selling to EU consumers, understanding and complying with the GDPR is not optional.

This article explains when the GDPR applies to businesses outside the EU, what those businesses must do to comply, and how to structure cross-border data transfers lawfully.

When Does the GDPR Apply to Non-EU Businesses?

Article 3 of the GDPR defines its territorial scope. The Regulation applies to the processing of personal data by a controller or processor established in the EU, regardless of whether the processing takes place within the EU. This is the "establishment" criterion. But Article 3(2) extends the GDPR beyond EU borders. It provides that the Regulation also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities relate to the offering of goods or services to those data subjects (whether or not payment is required) or the monitoring of their behaviour insofar as their behaviour takes place within the EU.

The practical implications are significant. A software company in Islamabad that builds a web application used by customers in Germany is likely subject to the GDPR if it collects personal data from those users. An e-commerce business in Wisconsin that ships products to French consumers and collects their names, addresses, and payment details is similarly caught. A data analytics firm in London that tracks the browsing behaviour of users across EU websites falls within the "monitoring" limb. The test is not where the business is located, but where the data subjects are and what the business does with their data.

The UK Position After Brexit

The United Kingdom left the European Union on 31 January 2020, and the GDPR ceased to apply directly in the UK at the end of the transition period on 31 December 2020. However, the UK government incorporated the GDPR into domestic law as the "UK GDPR" through the European Union (Withdrawal) Act 2018, and it operates alongside the Data Protection Act 2018. The UK GDPR is substantively identical to the EU GDPR, with minor adjustments to reflect the UK's status as a non-EU state.

For businesses, this means that if you process the personal data of individuals in both the UK and the EU, you must comply with both the UK GDPR (supervised by the UK Information Commissioner's Office) and the EU GDPR (supervised by the relevant national data protection authority in the EU member state concerned). In October 2025, the European Data Protection Board adopted Opinion 2025/26 on the European Commission's proposal to extend the UK's adequacy decision until 2031, concluding that the UK continues to maintain a data protection regime that is "essentially equivalent" to the GDPR. This adequacy decision allows the free flow of personal data from the EU to the UK without the need for additional safeguards such as Standard Contractual Clauses.

Core Obligations for Non-EU Businesses

A non-EU business that falls within the scope of the GDPR must comply with essentially the same obligations as an EU-based business. These obligations include the following. First, there must be a lawful basis for every processing activity. The GDPR provides six lawful bases under Article 6: consent, contractual necessity, legal obligation, vital interests, public interest, and legitimate interests. Most non-EU businesses will rely on consent or legitimate interests for marketing activities and on contractual necessity for processing that is required to fulfil an order or provide a service.

Second, the business must provide clear and transparent information to data subjects about what data is collected, why it is collected, how long it will be retained, and with whom it will be shared. This is typically done through a privacy notice or privacy policy published on the business's website. The notice must be written in plain, intelligible language and must be easily accessible.

Third, data subjects have a series of rights that the business must be prepared to honour. These include the right of access (to obtain a copy of their personal data), the right to rectification (to correct inaccurate data), the right to erasure (the "right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object to processing based on legitimate interests or for direct marketing purposes. The business must have systems in place to receive and respond to these requests within one month.

Fourth, the business must implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. What constitutes "appropriate" measures depends on the nature, scope, and sensitivity of the data, but at a minimum, it should include encryption of data in transit and at rest, access controls, regular security testing, and staff training.

Appointing an EU Representative

Article 27 of the GDPR requires that a controller or processor not established in the EU, but subject to the GDPR under Article 3(2), must designate a representative in the EU. The representative must be established in one of the EU member states where the data subjects whose personal data is processed are located. The representative acts as a point of contact for data protection authorities and data subjects and must be able to respond to enquiries and cooperate with supervisory authorities on the controller's behalf.

There are limited exceptions to this requirement, including where the processing is occasional, does not include large-scale processing of special categories of data, and is unlikely to result in a risk to the rights and freedoms of individuals. However, these exceptions are narrow, and most businesses that process EU personal data on a regular basis will need to appoint a representative. Failure to do so is itself a breach of the GDPR.

Cross-Border Data Transfers: Getting Data Out of the EU Lawfully

One of the most practical challenges for non-EU businesses is the restriction on transferring personal data out of the European Economic Area. Chapter V of the GDPR (Articles 44 to 50) provides that personal data may only be transferred to a third country if the European Commission has determined that the country provides an adequate level of data protection, or if appropriate safeguards are in place.

Pakistan does not have an adequacy decision from the European Commission. Neither does the United States, although a specific framework, the EU-US Data Privacy Framework, was adopted in July 2023 to facilitate transfers to certified US organisations. For Pakistani businesses, the primary mechanism for lawful data transfers from the EU is Standard Contractual Clauses (SCCs). These are pre-approved contractual terms, issued by the European Commission, that the data exporter in the EU and the data importer outside the EU must sign and adhere to. The current version of the SCCs, adopted in June 2021, is modular, covering four scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller transfers.

In addition to signing SCCs, the data importer must conduct a Transfer Impact Assessment (TIA) to evaluate whether the laws and practices of the destination country could undermine the protections provided by the SCCs. If the assessment reveals that local laws (such as government surveillance powers) could compromise the data, supplementary measures must be implemented. These may include additional encryption, pseudonymisation, or contractual commitments not to comply with government data access requests that exceed what is permitted under EU law.

Penalties for Non-Compliance

The GDPR's enforcement regime is its most attention-grabbing feature. Under Article 83, supervisory authorities can impose fines of up to 20 million euros or 4% of the undertaking's total worldwide annual turnover, whichever is greater. These are maximum figures, and the actual fine imposed will depend on factors such as the nature and gravity of the infringement, the number of data subjects affected, the degree of cooperation with the supervisory authority, and whether the business took steps to mitigate the damage.

EU data protection authorities have not been reluctant to exercise these powers against non-EU companies. Major technology companies headquartered in the United States have faced some of the largest fines in GDPR history. For smaller businesses, the risk is proportionally lower in absolute terms, but a fine of even a few hundred thousand euros can be devastating. Beyond fines, non-compliance can result in orders to cease processing, reputational damage, and the loss of business from EU clients who are themselves required to ensure that their processors and sub-processors comply with the GDPR.

Practical Steps for Pakistani Businesses

For the many Pakistani IT firms, business process outsourcing companies, and e-commerce businesses that serve EU clients or customers, GDPR compliance should be treated as a business-critical function, not a back-office formality. The following steps provide a practical starting point. Map all personal data flows to identify what EU personal data you collect, why you collect it, and where it is stored. Review and update your privacy notice to ensure it meets the transparency requirements of Articles 13 and 14. Identify your lawful basis for each processing activity and document it. Implement data subject rights procedures so that you can respond to access, erasure, and other requests within the statutory timeframe. Sign Standard Contractual Clauses with your EU clients or data exporters and conduct a Transfer Impact Assessment. Appoint an EU representative if required under Article 27. Train your staff on data protection principles and the specific requirements of the GDPR. And finally, establish an incident response plan for personal data breaches, as the GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach.

Conclusion

The GDPR's reach extends well beyond the borders of Europe. Any business that offers goods or services to individuals in the EU, or that monitors the behaviour of EU-based users, is potentially subject to its requirements. For businesses in Pakistan, the UK, and the US, compliance is not merely a matter of legal risk. It is increasingly a commercial necessity. EU clients and partners expect their service providers to meet GDPR standards, and the ability to demonstrate compliance can be a significant competitive advantage in the global services market. The cost of compliance is manageable, particularly when weighed against the cost of a fine, a lost contract, or a data breach that could have been prevented.