info@edpo.com
What US companies should know about Brexit and the Data Protection Representative
Brexit And The GDPR: Does Your US Business Need Two Data Protection Representatives?
Since January 1, 2021, the UK is no longer a Member State of the European Union (EU) and is considered a third country to the EU. The UK now applies the “UK GDPR”, an almost identical version of the EU GDPR. The rights, principles and obligations mostly stay the same. US companies that were doing business with the EU before Brexit now have to look at the UK with a different lens. One of the main questions regarding GDPR post Brexit is the data protection representative. Do you have to appoint one? Do you maybe even have to appoint two?
It Depends On Where You Do Business
I do business with the EU/EEA only
If you only do business with the EU or the European Economic Area (EEA) and not with the UK, you should not be concerned by Brexit. However, even if you are based in the US, you must appoint an EU GDPR Representative if:
- you don’t have an establishment in the EU/EEA
- you offer products or services to individuals who are in the EU or monitor the behaviour of individuals in the EU (such as tracking or profiling)
If you haven’t appointed a GDPR EU representative and you’re not sure if you have to appoint one, take our free assessment test to find out!
I do business with the UK only
If you only do business with the UK and not with the EU or EEA, you must appoint a UK GDPR Representative if:
- you don’t have an establishment in the UK
- you offer products or services to individuals who are in the UK or you monitor the behaviour of such individuals
I do business with both the UK and the EU/EEA
If you do business with the UK and the EU/EEA, both the EU and UK GDPR apply to your business. You must therefore appoint both an EU GDPR representative and a UK GDPR representative if you are based in the US and if:
- you don’t have an establishment in the EU/EEA or in the UK
- you offer products or services to individuals who are in the EU/EEA and the UK or you monitor the behaviour of such individuals
If you already had an EU representative prior to January 1, 2021, and the representative was located in the UK, you will now have to appoint a representative on the EU/EEA countries.
Can you benefit from the exceptions?
You don’t have to appoint an EU and/or a UK representative if:
- You have an establishment in the EU (regarding the EU representative obligation) or in the UK (regarding the UK representative obligation)
- You are a public authority; or
- You process personal data only occasionally and you don’t process sensitive personal data on a large and your processing activities are not likely to affect the rights and freedoms of individuals in the EU/ UK.
EDPO can act as your EU/EEA GDPR representative AND as your UK GDPR representative.
If you appoint EDPO as both your EU/EEA and UK Data Protection Representative, you will get a 20% discount on the EU Representative price.
Want to know more? Contact us for a free assessment.
EDPO participated in the Belgian Economic Mission to the United States in Atlanta, New York and Boston (6 to 11 June):
After a successful economic mission in London last month, EDPO participated in the Belgian Economic Mission to the US last week. Another great opportunity to raise awareness on the GDPR ’s forgotten obligation to appoint a Data Protection Representative. We attended events in memorable locations in Atlanta, New York and Boston, including an insightful seminar on data governance which was held at Massachusetts Institute of Technology (MIT). New windows are opening for data and privacy. “What is my data going to do for me today”? will be the next big question to ask. The continuum between impersonal and personal data is blurring and privacy actors will need to reinvent their job every day.
The sectors of life sciences, fintech, regtech, AI, and many more were also on the pedestal during the week. Our founder Jane Murphy was given the opportunity to tell EDPO’s story during the New York FEB Luncheon in the presence of Her Royal Highness Princess Astrid of Belgium, which included discussions on the future of transatlantic data transfers. We also discussed female entrepreneurship at two events in Atlanta and New York and met with fabulous leaders such as Dr Ilham Kadri (Solvay).
An intense week that will no doubt trigger more collaboration between Belgium and the USA in the years to come!
Thank you hub.brussels and all organisers who made this mission a great success!
5 GDPR mistakes US companies make in 2025 – and how to avoid them
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence...
GDPR and US companies: Up close with a Privacy Shield official
On Tuesday 26 May, EDPO hosted an exclusive webinar on GDPR and US companies with a Privacy Shield official. Rochelle Osei-Tutu shared her...
Are your Data Processors fit to be EU Representative under Article 27 GDPR ?
Appoint your data processor as EU Representative and tick off article 27 GDPR? The Croatia Personal Data Protection Agency(“AZOP”) says no....
About the author
Jane Murphy
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.
Follow us on Linkedin for daily breaking GDPR news!
The General Data Protection Regulation (GDPR) continues to apply to many US companies in 2025, even if they do not have a physical presence in the European Union. Despite years of guidance and enforcement, the same misunderstandings keep reappearing. Here are five of the most common GDPR mistakes US companies make — and how to avoid them.
Mistake 1 – Confusing the Data Protection Officer (DPO) with the EU GDPR Representative
An EU GDPR Representative is a local contact point for data protection authorities and individuals in the EU. Non-EU companies that are subject to the GDPR must appoint a representative to ensure smooth communication and compliance.
A Data Protection Officer (DPO) is responsible for overseeing a company’s internal data protection strategy and ensuring compliance with the GDPR. The DPO monitors data processing, conducts audits, and trains staff.
The DPO works inside the organisation, while the GDPR Representative is based in the EU and acts as an external contact point. Many US companies confuse the two roles, but under the GDPR, they are separate obligations and sometimes both are required.
Mistake 2 – Misunderstanding the extraterritorial scope of the GDPR
The GDPR applies to non-EU companies if they offer goods or services to individuals in the EU or monitor their behaviour online. This applies regardless of where the company is located.
Selling products to EU customers, operating an EU-facing website in EU languages, accepting payments in euros, or tracking EU visitors with cookies or analytics tools can all trigger GDPR obligations.
Mistake 3 – Incorrectly relying on the Privacy Shield (now EU-US Data Privacy Framework)
The Privacy Shield was an agreement that allowed certified US companies to transfer personal data from the EU to the US. In 2020, it was invalidated by the Court of Justice of the European Union in the Schrems II decision.
In 2023, the EU-US Data Privacy Framework (DPF) replaced the Privacy Shield. While participation in the DPF can help facilitate transatlantic data transfers, it does not exempt companies from GDPR compliance.
US companies must ensure that data transfers are lawful under the GDPR. This may involve joining the DPF, using Standard Contractual Clauses (SCCs), or implementing other approved safeguards.
Mistake 4 – Incomplete or unclear privacy policies
The GDPR requires privacy policies to be clear, accessible and transparent. They must explain what personal data is collected, how it is used, the legal basis for processing, and the rights of data subjects.
Many US companies omit details such as data retention periods, contact information for the EU Representative, or instructions on how to exercise data subject rights.
Mistake 5 – Underestimating GDPR fines and enforcement
Data protection authorities have issued fines to companies of all sizes, including non-EU businesses. In 2025, penalties for non-compliance remain high — up to €20 million or 4% of annual global turnover, whichever is higher.
Regular compliance reviews Data Protection Impact Assessments (DPIAs), staff training, and appointing an EU GDPR Representative can help mitigate risks.
How EDPO can help your business stay GDPR compliant
EDPO acts as your official EU GDPR Representative, ensuring compliance with Article 27 of the GDPR and facilitating communication with EU authorities.
For companies targeting the UK market, EDPO also offers UK GDPR Representative services to ensure compliance with the UK’s data protection regime.