By Sophie Chase-Borthwick, Director of Data Ethics and Privacy at data optimization and data privacy specialist, Calligo

The implementation of GDPR made headlines around the world in 2018, with companies of all shapes and sizes scrambling to comply with the new regulation. The new rules were born out of European Union law and targeted at data protection and privacy for all individual citizens of the EU and the European Economic Area (EEA).

The focus on European citizens, however, has led many North American firms to come to the false conclusion that the new laws do not apply to them. This misconception has placed many businesses at risk, as anyone who fails to comply with the new law is liable to pay fines up to €20,000,000 or 4% of annual turnover. And while much of the media hype is focused on the recent fines of major brands such as British Airways, Marriott Hotels, and of course Google and Facebook, as we will see later in this article, there is a long and growing list of small businesses who are being fined by the various EU countries’ regulators, ranging from Spanish debt collection agencies to French real estate companies.

Given this potential danger, it’s crucial that businesses operating in the US and Canada learn about why the GDPR regulations may well apply to them. To help, here are three common myths surrounding GDPR.

Our company does not have any offices or employees in the EU, so GDPR does not apply to us

This is perhaps the most common myth surrounding GDPR. Although the regulation was implemented by the European Union, it applies to any business that handles the information of EU data subjects.

It is a truly global law, and any North American firm offering services to the EU market or monitoring an EU data subject’s behavior in the EU must comply with the rules. To resolve this issue, every US and Canadian firm should review its past and current management of personal data to ensure it is not wrongly handling EU citizen information.

We only retain user IDs and passwords for our EU customers, not their names, which means we don’t need to comply with GDPR

Many US and Canadian businesses falsely take this approach to user data. The GDPR’s definition of what constitutes ‘personal data’ goes beyond the name and contact details of the data subjects. In fact, any information that would allow an EU data subject to be identified falls within the scope of GDPR.

Some examples of what constitutes ‘personal data’ include location data, an identification number or any factors specific to the genetic, economic or social identity of the person involved. This means that information like IP addresses and User IDs are often overlooked as personal data.

As such, many North American businesses may need to re-examine the data they hold on their EU customers and make sure they are securing and treating it appropriately.

Our organization is too small to ever be caught or fined under GDPR

This is another common misconception among businesses operating in North America. This belief has been propagated by media bias, which has focused on GDPR fines given to large organizations. Google, for example, was fined €50 million in January 2019 for lacking a valid legal basis to process user data for ad personalisation, as mandated by the GDPR.

Nevertheless, smaller SMEs have also been given GDPR fines. For instance, German chat platform Knuddels.de was recently fined €20,000 for failing to prevent a breach that compromised the personal information of 330,000 users. An Austrian entrepreneur was also fined €4,800 for failing to sufficiently mark a surveillance camera outside his building that was capturing images of passers-by without their knowledge.

The various supervisory authorities in the EU have outlined their intentions to disregard size or reputation in their decision to punish misconduct, focusing instead on the severity of the crime. A North American business that mishandles personal data with inadequate safeguards is therefore likely to receive a fine, regardless of their size.

Key takeaways

North American organizations too often fall into the trap of seeing GDPR as an EU-specific regulation, when in reality, many will be subject to the very same rules and best practices as their counterparts across the pond. By becoming more appreciative of the common fallacies listed above, US and Canadian firms will be better placed to achieve adherence and thrive in a world where EU subject data is protected by GDPR.

Send your email to