info@edpo.com
IAPP Intensives – France & UK – March 2022
IAPP Intensive France – 17 & 18 March 2022
EDPO attended the IAPP Intensive in Paris (17 March). Here are the main insights from this first day of conferences:
🔐 International data transfer remains the hot privacy topic. There still doesn’t seem to be any solution at the moment. This issue should be handled at the political level…which could take quite some time.
🔐 Metrics can be very useful to assess your compliance and convince your boss and the board to focus on data protection. Key words: cost & time.
🔐 Privacy regulations are popping up all around the world. Some are very similar to (and inspired by) the GDPR. So being GDPR compliant is a great baseline but let’s not forget that the right to privacy isn’t a fundamental right in every country.
🔐 Privacy by design and operational efficiency: Data Protection Impact Assessments are the most challenging part of building privacy into technology
🔐 Nothing is impossible in terms of GDPR compliance – it’s just a question of cost
🔐 Perform cookie audits at least once a year to make sure that what goes on in your system matches what you say on your cookie banners
Some of the key discussions and funniest outtakes from the second day of the IAPP Intensive in Paris (18 March):
🔐 European Data Protection Board announced the creation of a GDPR compliance tool for SMEs and upcoming guidelines on fines
🔐 The number of sanctions and fines are through the roof, and authorities are only going to pick up the pace
🔐 The question is not “are you going to have a breach” but rather “when is it going to happen?”!
🔐 A few funny DPO stories:
– data subject asking to remove personal data so that their partner doesn’t find out what they’re up to
– what song best fits the DPO’s: role? “I will survive” or “Compliance” from Muse
– don’t be surprised if your kids don’t want to provide their personal data to anybody: you “privacy-by-designed” them!
IAPP Intensive UK – 23 & 24 March 2022
EDPO attended the IAPP Data Protection Intensive in London on 23 March and 24 March and it was a success! Here are some insights from the conferences:
🔐 Online advertising is in the spotlight. Multiple businesses play in the chain of services or products and need to be compliant. Some want to pull back and reduce the number of players having access to data. Does that mean going back to the 1980s? Other say that we have to move forward and need to think differently to bring data closer and safer to the user without removing any parties from the game.
🔐 The responsibility is always on the individual to give consent – or not – with very complex privacy policies to read through. We need to take a different approach: fairness should be guaranteed by the company. The user should have the ability to make choices, not feel obliged to give consent.
🔐 We need to stop thinking about data as a thing to manage through tech, an asset to leverage or a risk to manage. Is it data protection or data protectionism? Data is a powerful economic tool. Data serves the economy, the society, and businesses. Data protection shouldn’t be a barrier to anything.
🔐 SCCs are all the same and don’t work. Nobody reads or audits them. Why not take aproactive approach? “Privacy in practice rather than privacy on paper”.
🔐 Is GDPR the golden standard? Many countries don’t have the same rights and privacy regulations – e.g., Africa andChina don’t have legitimate interest. The GDPR has a dominant approach but the ultimate goal is to draw approaches together and not just stick to the most influential one. After all, they’re seeking the same outcome.
🔐 The UK is looking to develop a unified framework. Supporting businesses and protecting the rights of individuals is not incompatible! Transparency is the key.
🔐 Can the UK make meaningful changes on data protection and still have the adequacy decision from the EU? Yes. The point is to not travel in different directions but to make sure that the framework is well-thought and adapted to the reality of society.
EDPO at the 38th Privacy Laws & Business Conference in Cambridge
From AI governance to legal design: key takeaways from Europe’s leading privacy event EDPO recently took part in the 38th International...
IAPP Intensive – London, UK – March 2023
DAY 1 The IAPP - International Association of Privacy Professionals Data Protection Intensive: UK 2023 kicked off this Wednesday with John...
EDPO participated in the Belgian Economic Mission to Japan – Dec. 2022
EDPO is thrilled to have been part of the Belgian Economic Mission to Japan with HRH Princess Astrid of Belgium last week - and what a crazy...
About the author
Jane Murphy
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.
Follow us on Linkedin for daily breaking GDPR news!
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.