The impacts of Europe’s GDPR on US companies

By Robert Cattanach

Here are four key misconceptions surrounding the impact of the newly implemented GDPR regulations in Europe on US companies:

1) “If I don’t have operations in Europe, it doesn’t apply.”

Wrong. Any US company offering goods or service to EU residents - i.e. anyone with a website - is likely required to comply.

2) “If I am covered by the GDPR I have to appoint a Data Protection Officer (DPO) in the EU.” 

Wrong.  A US company’s obligation to appoint a DPO, or even a designated representative, is a complex and highly fact-dependent analysis.

See also:

3) “If I am not covered by GDPR I don’t have to update my Privacy Policy.”

Wrong. A lot has happened in the US since companies started adopting boilerplate Privacy Policies without really understanding what they were committing to do, and not to do.  Regardless of whether you are covered by GDPR, basic principles of good information governance mandate a careful look at your privacy policy and terms of use on your website.  The biggest risk: overstating who you share your data with.  Virtually all websites employ third-party data analytic services, which often open the door to opaque gathering,mining, and trading of a person’s data in ways the website owner may not understand at all - and often conflicts with commitments made to customers and website visitors.

4) “If I’m a small to medium-sized US company, there’s virtually zero chance of any enforcement action against me so I can just wait until we understand better how it’s all going to work.”

In the long term, wrong. EU regulators will likely target the larger companies, especially US tech companies, at first but GDPR allows private citizens to lodge complaints, and even bring class actions. All it will take is one disgruntled customer or employee whistle blower to spotlight someone who thought they could fly below the radar for a few years.  If your appetite for risk is voracious, you might avoid detection for a while. But if you completely ignore GDPR and get caught, the financial exposure to penalties and long-term scrutiny could be breathtaking.

Robert Cattanach, Partner, Dorsey & Whitney


Featured Articles

Broadridge study reveals huge impact of AI on C-suite

Broadridge Financial Solutions spoke to 500 C-suite executives from across the globe, many of whom said AI was significantly changing the way they work

PwC's Kathryn Kaminsky – the role of boards on social issues

As Vice Chair Trust Solutions Co-Leader at PwC, Kathryn Kaminsky says boards play an important role in helping businesses take action on social issues

Why your business needs a Chief Transformation Officer

Responsible for driving growth and change, the Chief Transformation Officer is the latest addition to the C-suite as business undergoes major change

12 top AI and ML trends for the enterprise in 2023 – Dataiku

Technology & AI

From NYC to Hong Kong, the rise of the private members' club

Leadership & Strategy

Meet the CEO: Jill Stelfox of Panzura, exclusive interview

Leadership & Strategy