Close this search box.

Uxpected Impacts of Europe’s GDPR on US Companies Both Over and Under Stated

Share This Post

Robert Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy. Today he practices in the areas of regulatory litigation, including cybersecurity and data breaches, privacy and telecommunications, civil and criminal enforcement proceedings and international Regulatory Compliance. He has been following this closely as he has been receiving calls from US businesses who are trying to interpret the new regulation. He outlines some common misconceptions related to GDPR.
“Some common misperceptions being heard around the US and Canada include:
“If I don’t have operations in Europe, it doesn’t apply.  Wrong. Any US company offering goods or service to EU residents – i.e.anyone with a website – is likely required to comply,” Cattanach says.
“If I am covered by the GDPR I have to appoint a Data Protection Officer (DPO) in the EU.  Wrong.  A US company’s obligation to appoint a DPO, or even a designated representative, is a complex and highly fact-depedent analysis,” Cattanach says.
“If I am not covered by GDPR I don’t have to update my Privacy Policy. Wrong.  A lot has happened in the US since companies started adopting boilerplate Privacy Policies without really understanding what they were committing to do, and not to do.  Regardless of whether you are covered by GDPR, basic principles of good information governance mandate a careful look at your privacy policy and terms of use on your website.  The biggest risk: overstating who you share your data with.  Virtually all websites employ third-party data analytic services, which often open the door to opaque gathering,mining, and trading of a person’s data in ways the website owner may not understand at all – and often conflicts with commitments made to customers and website visitors,” Cattanach says.
“If I’m a small to medium-sized US company, there’s virtually zero chance of any enforcement action against me so i can just wait until we understand better how its all going to work. Maybe – maybe – right.  EU regulators will likely target the larger companies, especially US tech companies, at first but GDPR allows private citizens to lodge complaints, and even bring class actions.  All it will take is one disgruntled customer or employee whistle blower to spotlight someone who thought they could fly below the radar for a few years.  If your appetite for risk is voracious, you might avoid detection for a while.  But if you completely ignore GDPR and get caught, the financial exposure to penalties and long-term scrutiny could be breathtaking,” Cattanach says.

Subscribe To Our Newsletter

Get updates and learn from the best

Latest Blog Articles