Since the United Kingdom left the European Union, many companies based outside the UK or EU are now legally required to appoint a UK or EU General Data Protection Regulation (GDPR) Representative. Vitally, almost all commercial organisations not based in the UK or EU must appoint a GDPR Representative, as many businesses across the globe regularly process residents’ personal data. As a result, many organisations are seeking GDPR Representation rather than opening offices in the UK or EU.
What is GDPR Representation?
GDPR Representation is a service where a company not based in the UK or EU, which wishes to regularly use the personal data of UK or EU citizens, hires a GDPR Representative based in the country or countries where they intend to use personal data. The chosen Representative fulfils all obligations outlined in Article 27 of the GDPR.
What Are The Laws Around GDPR Representation?
In summary, Article 27 of the GDPR states that companies must appoint a UK or EU GDPR Representative if they are not located in the UK or EU. The Representative must be located in the country where the data subjects, whose personal data is used to offer goods and services or monitor behaviour, are located.
Why Do Businesses Need A GDPR Rep?
Thankfully organisations do not need to set up a new office and hire new staff in the UK or EU to regularly use UK and EU residents’ personal data, as hiring a GDPR Rep fulfils all Article 27 GDPR requirements.
However, it is not as simple as selecting a single Representative to handle all UK and EU GDPR responsibilities. If an organisation is not based in the UK but regularly processes the personal data of UK residents, a UK GDPR Representative must be appointed. Similarly, if an organisation is not based in the EU but regularly processes the personal data of EU residents, an EU GDPR Representative must be appointed.
What are the responsibilities of a GDPR Representative?
Once appointed, a GDPR Representative has numerous responsibilities. For example, the Representative is required to cooperate with the relevant supervisory authorities when necessary, facilitate communication between organisations and data subjects, be accessible to data subjects in all applicable member states, and maintain a Record of Processing Activities (RoPA), in line with Article 30 of the GDPR. Furthermore, if enforcement action is necessary due to noncompliance, supervisory authorities will pursue action through the appointed GDPR Representative.
GDPR Representation has various benefits aside from being a post-Brexit legal requirement. For example, organisations gain access to large teams of data protection specialists with many years of experience in the industry. Additionally, many GDPR Representation services offer translation of requests in all major languages, ensuring that requests are properly communicated to all relevant parties.
How To Find The Right GDPR Representative
There are several GDPR Representative services to choose from in the UK and the EU, but the service an organisation chooses will depend on their specific circumstances and requirements.
Once an organisation has chosen the best suited GDPR Representation service, the service will provide a suitable Representative to fulfil all obligations outlined in Article 27 of the GDPR. Furthermore, they will comply with the UK and EU GDPR by providing an office in the UK and all EU member states where relevant. Additionally, by providing relevant establishment details, organisations can publish an EU privacy policy and use a local physical address, email address and telephone number. Finally, a GDPR Representation service provides translation services to handle GDPR matters in all major EU languages.
What happens next?
Once an organisation locates a suitable GDPR Representative service, the chosen organisation will start the process by undergoing a comprehensive onboarding phase. This will likely involve reviewing the organisation’s privacy policy to ensure the correct contact information is provided, which allows the relevant people and organisations to contact the new GDPR Representative if necessary. The Representative’s contact details must be clearly visible and easily accessible, as data subjects and regulators may wish to contact them at any time.
The Representative will also maintain a copy of the organisation’s RoPA. As a result, the chosen GDPR Representative service will ask organisations to review their existing RoPA for UK and EU processing. Then, the details outlined in the RoPA are used to respond to regulator enquiries or data subject queries. After the RoPA has been reviewed or established, the Representative will regularly update the RoPA to ensure ongoing compliance. In addition, the chosen GDPR Representative will receive and, where appropriate, respond to regulator requests or data subject queries, provide any necessary translation, and assist the organisation with suitable responses.
In Summary
Working with a GDPR Representation service allows organisations outside of the UK and the EU to continue regularly processing the personal data of UK and EU residents without having a physical presence in the countries, resulting in significant cost-savings. In addition, the chosen GDPR Representative provides valuable expertise and advice, liaises with supervisory bodies, assists with data subject rights and maintains an organisations’ RoPA to ensure ongoing compliance, saving organisations a significant amount of time and money.