info@edpo.com
ISO 27001 added value
ISO 27001: Security You Can Rely On
At EDPO, we provide representative services under Article 27 of the GDPR and other digital regulations. To support this role, and to ensure the highest standards of security and accountability, EDPO is certified under ISO 27001:2022, the international standard for information security management systems.
Why ISO 27001 matters for our clients
ISO 27001 certification demonstrates that EDPO has implemented a structured, risk based approach to information security. This means that the personal data entrusted to us is protected through robust controls, documented processes, and continuous oversight.
For our clients, this translates into confidence that their representative operates in line with internationally recognised security and governance standards.
How ISO 27001 strengthens our GDPR representative services
Information security and risk management
We implement strong technical and organisational measures, including access controls, encryption, monitoring, and regular risk assessments. This allows us to identify potential threats early and mitigate risks before they materialise.
Legal and regulatory compliance
ISO 27001 supports our compliance with GDPR and other data protection laws by embedding accountability, documentation, and review mechanisms into our daily operations. We continuously monitor regulatory developments and adapt our processes accordingly.
Operational resilience and continuity
We maintain tested business continuity, backup, and recovery procedures to ensure the confidentiality, availability and integrity of personal data, even in the event of incidents or disruptions.
People and supplier governance
We conduct regular staff training and supplier assessments on data protection and information security. We also apply strict supplier management processes to ensure that the third parties we work with handle our and our clients’ data according to the set security standards
Trust, accountability, and continuous improvement
EDPO undergoes regular internal and external audits by accredited certification bodies. Through management reviews and continuous improvement processes, we ensure our controls remain effective and aligned with best practices.
What this means in practice
ISO 27001 certification provides our clients with tangible assurances that:
- Their personal data is handled securely
- Risks are actively managed and documented
- Incidents are addressed through clear response procedures
- Our representative services are backed by audited security controls
This external recognition reinforces EDPO’s role as a trusted and reliable partner for our clients’ representative needs.
Is ISO 27001 certification required under GDPR?
No. ISO 27001 certification is not a legal requirement under the GDPR.
However, EDPO’s ISO 27001:2022 certification reflects our commitment to high standards of information security, risk management, and accountability. It closely aligns with GDPR principles and provides additional assurance that personal data is handled in a professional and secure manner.
AI Act: Are you ready?
The AI Act is here. Are you truly compliant? The new European Regulation on artificial intelligence, the AI Act, is redefining how AI may be...
UK plans to abolish DPOs – and much more
The UK government is well on its way to reform the UK data protection landscape. Its 150-page consultation that closed in November 2021...
Fine of 525,000 euros imposed on non-EU company for failure to appoint EU Representative
UNOFFICIAL ENGLISH TRANSLATION DUTCH DATA PROTECTION AUTHORITY – NEWS...
About the author
Jane Murphy
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.
Follow us on Linkedin for daily breaking GDPR news!
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.