info@edpo.com
4 of the most common mistakes made about the GDPR
These mistakes can put many US companies in a situation where they could be facing fines of up to 4% of global turnover or 20 million euros.
EDPO enables US companies to continue to have access to the EU market by correcting these mistakes.
1 THINKING THAT THE PRIVACY SHIELD IS ENOUGH
Self-certification under the Privacy Shield only checks off one requirement of the GDPR.
The EU-US Privacy Shield provides the legal mechanism for the transfer of data outside of the EU to the US, but it is not the same as being GDPR compliant.
The Privacy Shield is actually a very specific response to one part of complying with the GDPR and it doesn’t address the other requirements. In fact, the Privacy Shield only answers Articles 44-50, mostly neglecting the other 94 Articles of the GDPR.
So while your company is certified to receive data from the EU, the Privacy Shield does not make it OK for you to offer products and/or services to individuals in the EU and to monitor their behaviour.
2 ASSUMING THAT SMALL VOLUMES OF EU DATA DON’T FALL UNDER THE GDPR
US companies don’t realise how much data they are collecting on EU individuals, particularly in the case of visitors to websites.
Our clients often claim that they only have a website and that no personal data is ever collected through the website. But upon closer inspection, any visitor that lands on your website is already being tracked if you use analytics software such as Google Analytics.
Google Analytics or similar technologies collect IP addresses from the moment a visitor lands on your page. Not only that, a wealth of information is collected about that visitor’s browser, location and even online behaviours – all considered to be personal data under the GDPR as the information can identify or be linked to an identifiable natural person.
Because of such a systematic collection of personal data, a US company cannot argue that volumes of personal data collected are small, nor can it argue that the collection of personal data is occasional.
3 CONFUSING THE DPO WITH THE DPR (REPRESENTATIVE)
Companies that have to appoint a Data Protection Officer (DPO) may choose at their discretion whether to appoint someone within their company or to outsource the DPO function. However, what is not commonly known, and thus most often completely missed by non-EU companies, is the obligation to appoint a Representative as per Article 27 of the GDPR. A DPO is not the same as a Representative. The European Data Protection Board (EDPB) made clear under its Guidelines 3/2018 that the role of the DPO and Representative are incompatible (to read more on this topic, click here).
Non-EU companies that fall under the scope of the GDPR must appoint a Representative* in an EU Member State so that the EU supervisory authorities can easily communicate with them. The EU-based Representative also handles European data subject requests.
*Unless the limited exceptions of Article 27 (2) apply.
4 OVERLOOKING THE GDPR’S FORGOTTEN OBLIGATION
Although the GDPR has extra-territorial scope, not much attention has been given to how the GDPR will be practically implemented by non-EU companies.
If you haven’t heard about it, it’s probably because everything that’s been written or discussed around the GDPR has been European-focused. European companies don’t have to appoint a Representative because Article 27 of the GDPR only applies to companies outside of the EU.
Since everything has been written from a European perspective, including guidance issued by the Information Commissioner’s Office, the obligation to appoint a Representative is simply overlooked.
Is your US-based company overlooking this obligation too?
Contact
Contact us via e-mail: info@edpo.com
Understanding GDPR: What You Need to Know in 2025
In 2018, the European Commission introduced the General Data Protection Regulation (GDPR). It shook the world because it applied both to...
UK GDPR and EU GDPR – Differences and Similarities
What are the main differences between UK GDPR and EU GDPR? The UK GDPR is largely based on the EU GDPR but adapted for the UK. The main...
What is the difference between the Data Protection Representative and the Data Protection Officer?
The obligation to appoint a Data Protection Representative (DPR) applies only to companies based outside the EU/UK. If such companies do not...
About the author
Jane Murphy
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.
Follow us on Linkedin for daily breaking GDPR news!
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.