Robert Cattanach is a partner at the international law firm Dorsey & Whitney. He has previously worked as a trial attorney for the United States Department of Justice and was also special counsel to the Secretary of the Navy. Today he practices in the areas of regulatory litigation, including cybersecurity and data breaches, privacy and telecommunications, civil and criminal enforcement proceedings and international Regulatory Compliance. He has been following this closely as he has been receiving calls from US businesses who are trying to interpret the new regulation. He outlines some common misconceptions related to GDPR.
“Some common misperceptions being heard around the US and Canada include:
“If I don’t have operations in Europe, it doesn’t apply. Wrong. Any US company offering goods or service to EU residents – i.e.anyone with a website – is likely required to comply,” Cattanach says.
“If I am covered by the GDPR I have to appoint a Data Protection Officer (DPO) in the EU. Wrong. A US company’s obligation to appoint a DPO, or even a designated representative, is a complex and highly fact-depedent analysis,” Cattanach says.
“If I’m a small to medium-sized US company, there’s virtually zero chance of any enforcement action against me so i can just wait until we understand better how its all going to work. Maybe – maybe – right. EU regulators will likely target the larger companies, especially US tech companies, at first but GDPR allows private citizens to lodge complaints, and even bring class actions. All it will take is one disgruntled customer or employee whistle blower to spotlight someone who thought they could fly below the radar for a few years. If your appetite for risk is voracious, you might avoid detection for a while. But if you completely ignore GDPR and get caught, the financial exposure to penalties and long-term scrutiny could be breathtaking,” Cattanach says.