top of page
Writer's pictureJohn McVeigh

Common GDPR Pitfalls for US Companies Expanding into Europe

As US companies set their sights on European markets, navigating the complexities of the General Data Protection Regulation (GDPR) becomes a critical challenge. While the opportunities in Europe are vast, the pitfalls of non-compliance can be severe. This article explores the most common GDPR mistakes made by US companies and guides how to avoid them.


Underestimating the Scope of GDPR

Many US companies mistakenly believe that GDPR only applies to businesses with a physical presence in Europe. In reality, GDPR's reach extends to any company processing the personal data of EU or UK residents, regardless of the company's location.


John McVeigh, founder of ASSUREMORE and GDPR specialist, warns: "We often see US companies assuming they're exempt from GDPR because they don't have an EU office. This misconception can lead to serious compliance issues down the line."

To avoid this pitfall:

  • Conduct a thorough assessment of your data processing activities

  • Determine if you're offering goods or services to EU or UK residents or monitoring their behaviour

  • Consult with GDPR experts to understand your specific obligations


Inadequate Consent Mechanisms

GDPR sets a high bar for consent, requiring it to be freely given, specific, informed, and unambiguous. Many US companies fall short by using pre-ticked boxes, bundling consent for multiple purposes, or burying consent in lengthy terms and conditions.


Best practices for consent:

  • Use clear, plain language in consent requests

  • Separate consent for different data processing activities

  • Make it as easy to withdraw consent as it is to give it

  • Retain clear records of obtained consent


Neglecting Data Subject Rights

GDPR grants EU and UK residents extensive rights over their personal data, including the right to access, rectify, erase, and port their data. US companies often struggle to implement efficient processes to handle these requests within the required timeframe.


To address this:

  • Develop clear procedures for handling data subject requests

  • Train staff on recognising and processing these requests

  • Implement technology solutions to automate and streamline the process

  • Ensure you can provide data in a machine-readable format for portability requests


Overlooking the Need for a GDPR Representative

Companies based in the USA without an establishment in the EU/ UK are required by Article 27 of GDPR to appoint a GDPR representative in the UK and in one of the EU member states where they have data subjects. This crucial requirement is frequently overlooked.


McVeigh notes, 'Appointing a GDPR representative as per Article 27 isn't just about compliance; it's about having a local point of contact who understands the nuances of European data protection laws. However, US companies should first determine if they're considered 'established' in the EU/ UK, which may exempt them from this requirement.'"

Steps to take:

  • Determine if you need a GDPR representative

  • Choose a representative with expertise in European data protection laws

  • Ensure the representative is easily accessible to European data subjects and authorities


Common GDPR Pitfalls for US Companies Expanding into Europe

Insufficient Data Protection Impact Assessments (DPIAs)

DPIAs are mandatory for high-risk data processing activities, yet many US companies either neglect to conduct them or perform them inadequately.


To improve DPIA practices:

  • Identify processing activities that require a DPIA

  • Involve your Data Protection Officer (DPO) or privacy team in the assessment

  • Document the DPIA process and outcomes thoroughly

  • Use the DPIA to inform your data protection strategies


Inadequate Data Breach Response Plans

GDPR requires companies to report certain types of data breaches to the relevant supervisory authority within 72 hours. Many US companies are unprepared for this tight timeline.


To enhance breach readiness:

  • Develop and regularly test a comprehensive data breach response plan

  • Establish clear communication channels for swift reporting

  • Train employees on breach identification and reporting procedures

  • Consider using breach simulation exercises to test your readiness


Neglecting Privacy by Design and Default

GDPR mandates that data protection be built into systems and processes from the ground up, not added as an afterthought. US companies often struggle with this proactive approach.


Implementing privacy by design:

  • Integrate data protection considerations into all new projects and systems

  • Conduct privacy impact assessments at the early stages of product development

  • Ensure default privacy settings are at the highest level

  • Regularly review and update privacy measures in existing systems


Misunderstanding International Data Transfers

The EU-U.S. Data Privacy Framework, adopted on 10 July 2023, has created a new landscape for international data transfers. Whilst this framework provides a mechanism for transferring personal data from the EU to certified U.S. organisations without additional safeguards, companies must approach it with caution.


McVeigh advises, "Whilst the new EU-U.S. Data Privacy Framework offers some relief, companies should view it as a potentially temporary solution. Given the history of previous frameworks being invalidated and current legal challenges, it's prudent to maintain alternative compliance mechanisms."

Key Considerations for Data Transfers:

  • U.S. service providers need to be certified under the Framework and published on the U.S. Department of Commerce list.

  • Assess third-country transfers: If U.S. service providers use subcontractors in other countries, these may require additional safeguards.

  • Maintain backup compliance measures: Given the current legal challenges to the Framework, consider maintaining Standard Contractual Clauses (SCCs) as a fallback option.


Inadequate Vendor Management

Under GDPR, companies are responsible for ensuring their vendors (data processors) are compliant. Many US companies fail to properly vet and manage their EU/ UK data processors.


Improving vendor management:

  • Conduct due diligence on all vendors processing EU/ UK personal data

  • Implement robust Data Processing Agreements

  • Regularly audit vendors' GDPR compliance

  • Maintain a register of all data processors


Overlooking Employee Data

While focusing on customer data, US companies often neglect the GDPR implications for employee data, especially in the context of employees based in Europe or remote workers.


Addressing employee data compliance:

  • Review HR data processing activities for GDPR compliance

  • Ensure proper consent or legal basis for processing employee data

  • Provide clear privacy notices to employees

  • Implement appropriate safeguards for international transfers of employee data


Conclusion

Navigating GDPR compliance is a complex but essential undertaking for US companies expanding into Europe. By being aware of these common pitfalls, including the often-overlooked Article 27 requirement for GDPR representatives, and taking proactive steps to address them, US businesses can not only avoid penalties but also build trust with their European customers and partners.


Remember, GDPR compliance is an ongoing process, not a one-time effort. Stay informed about regulatory changes, regularly review your compliance posture, and be prepared to adapt your practices as necessary.


References:

European Commission. (2018). "General Data Protection Regulation (GDPR)". https://gdpr.eu/ 

Information Commissioner's Office. (2021). "Guide to the General Data Protection Regulation (GDPR)".  https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/ 

European Data Protection Board. (2020). "Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)". https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32018-territorial-scope-gdpr-article-3-version_en 

Court of Justice of the European Union. (2020). "Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18)". https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN 

The Data Privacy Framework Program (DPF)

ASSUREMORE. (2024). "GDPR Compliance Services". https://www.assuremore.com/gdpr

International Association of Privacy Professionals. (2022). "GDPR Genius". https://iapp.org/resources/article/gdpr-genius/ 


0 views0 comments

Comments


bottom of page