4 of the most common mistakes made about GDPR by US companies

September 29, 2020

1- ASSUMING THAT SMALL VOLUMES OF EU DATA DON’T FALL UNDER THE GDPR

Many US companies don’t realise how much data they are collecting on EU individuals, particularly in the case of visitors to websites.

US companies often claim that they only have a website and that no EU personal data is ever collected through the website. But upon closer inspection, any visitor who lands on your website is already being tracked if you use analytics software such as Google Analytics.

Google Analytics or similar technologies collect IP addresses from the moment a visitor lands on your page. Not only that, a wealth of information is collected about that visitor’s browser, location and even online behaviours – all considered to be personal data under the GDPR if the information can be identified or be linked to an identifiable natural person. 

Because of such a systematic collection of personal data, a US company cannot argue that volumes of personal data collected are small, nor can it argue that the collection of personal data is occasional. 

2- CONFUSING THE DPO WITH THE DATA PROTECTION REPRESENTATIVE

Companies that have to appoint a Data Protection Officer (DPO) may choose at their discretion whether to appoint someone within their company or to outsource the DPO function. However, what is not commonly known, and thus most often completely missed by non-EU companies, is the obligation to appoint a Data Protection Representative. They’re not the same!

Non-EU companies that fall under the GDPR must appoint an EU Representative* in an EU Member State to act as their point of contact for European data subject requests and inquiries from the EU supervisory authorities.

*Unless the limited exceptions of Article 27(2) apply.

3- OVERLOOKING THE GDPR’S FORGOTTEN OBLIGATION

Although the GDPR has extra-territorial scope, not much attention has been given to how the GDPR should be practically implemented by non-EU companies.

If you haven’t heard about the obligation for non-EU companies to appoint a GDPR EU Representative, it’s probably because almost everything that’s been written or discussed around the GDPR has been European-focused. European companies don’t have to appoint an EU Representative because Article 27 of the GDPR only applies to companies outside the EU.

Since everything has been written from a European perspective, including guidance issued by the EU’s data protection authorities, the obligation to appoint a GDPR EU Representative is simply overlooked.

4- BELIEVING THAT THE GDPR DOES NOT APPLY TO B2B BUSINESS

If you’re processing personal data that enables you to identify an individual in the EU either directly or indirectly, you’ll fall within the scope of the GDPR. So even if you’re only processing names, professional e-mails, professional phone numbers or IP addresses, you must be compliant with the GDPR. 

You will only fall outside the scope of the GDPR if the data that you’re processing clearly – and only – relates to a business (for example the company name, the business address or general e-mail addresses such “info@” and “support@”). 

COMMON MISTAKES

There’s a lot of information out there about what the GDPR is and how it operates.

Unfortunately, a lot of it is not correct. Mistakes about the GDPR still persist, and now that the Privacy Shield has been invalidated by the CJUE, there is even more confusion.

These mistakes and uncertainties can put many US companies in a situation where they could be facing fines of up to 4% of global turnover or 20 million euros.

EDPO enables US companies to continue to have access to the EU market by correcting these mistakes.

Follow us on Linkedin for daily breaking GDPR news!

Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!