Here are four key misconceptions surrounding the impact of the newly implemented GDPR regulations in Europe on US companies:
1) “If I don’t have operations in Europe, it doesn’t apply.”
Wrong. Any US company offering goods or service to EU residents - i.e. anyone with a website - is likely required to comply.
2) “If I am covered by the GDPR I have to appoint a Data Protection Officer (DPO) in the EU.”
Wrong. A US company’s obligation to appoint a DPO, or even a designated representative, is a complex and highly fact-dependent analysis.
4) “If I’m a small to medium-sized US company, there’s virtually zero chance of any enforcement action against me so I can just wait until we understand better how it’s all going to work.”
In the long term, wrong. EU regulators will likely target the larger companies, especially US tech companies, at first but GDPR allows private citizens to lodge complaints, and even bring class actions. All it will take is one disgruntled customer or employee whistle blower to spotlight someone who thought they could fly below the radar for a few years. If your appetite for risk is voracious, you might avoid detection for a while. But if you completely ignore GDPR and get caught, the financial exposure to penalties and long-term scrutiny could be breathtaking.
Robert Cattanach, Partner, Dorsey & Whitney