Since the United Kingdom left the European Union, many companies based outside the UK or EU are now legally required to appoint a UK or EU General Data Protection Regulation (GDPR) Representative. Vitally, almost all commercial organisations not based in the UK or EU must appoint a GDPR Representative, as many businesses across the globe regularly process residents’ personal data. As a result, many organisations are seeking GDPR Representation rather than opening offices in the UK or EU.
GDPR Representation is a service where a company not based in the UK or EU, which wishes to regularly use the personal data of UK or EU citizens, hires a GDPR Representative based in the country or countries where they intend to use personal data. The chosen Representative fulfils all obligations outlined in Article 27 of the GDPR.
In summary, Article 27 of the GDPR states that companies must appoint a UK or EU GDPR Representative if they are not located in the UK or EU. The Representative must be located in the country where the data subjects, whose personal data is used to offer goods and services or monitor behaviour, are located.
Thankfully organisations do not need to set up a new office and hire new staff in the UK or EU to regularly use UK and EU residents’ personal data, as hiring a GDPR Rep fulfils all Article 27 GDPR requirements.
However, it is not as simple as selecting a single Representative to handle all UK and EU GDPR responsibilities. If an organisation is not based in the UK but regularly processes the personal data of UK residents, a UK GDPR Representative must be appointed. Similarly, if an organisation is not based in the EU but regularly processes the personal data of EU residents, an EU GDPR Representative must be appointed.
Once appointed, a GDPR Representative has numerous responsibilities. For example, the Representative is required to cooperate with the relevant supervisory authorities when necessary, facilitate communication between organisations and data subjects, be accessible to data subjects in all applicable member states, and maintain a Record of Processing Activities (RoPA), in line with Article 30 of the GDPR. Furthermore, if enforcement action is necessary due to noncompliance, supervisory authorities will pursue action through the appointed GDPR Representative.
GDPR Representation has various benefits aside from being a post-Brexit legal requirement. For example, organisations gain access to large teams of data protection specialists with many years of experience in the industry. Additionally, many GDPR Representation services offer translation of requests in all major languages, ensuring that requests are properly communicated to all relevant parties.
There are several GDPR Representative services to choose from in the UK and the EU, but the service an organisation chooses will depend on their specific circumstances and requirements.
The Representative will also maintain a copy of the organisation’s RoPA. As a result, the chosen GDPR Representative service will ask organisations to review their existing RoPA for UK and EU processing. Then, the details outlined in the RoPA are used to respond to regulator enquiries or data subject queries. After the RoPA has been reviewed or established, the Representative will regularly update the RoPA to ensure ongoing compliance. In addition, the chosen GDPR Representative will receive and, where appropriate, respond to regulator requests or data subject queries, provide any necessary translation, and assist the organisation with suitable responses.
Working with a GDPR Representation service allows organisations outside of the UK and the EU to continue regularly processing the personal data of UK and EU residents without having a physical presence in the countries, resulting in significant cost-savings. In addition, the chosen GDPR Representative provides valuable expertise and advice, liaises with supervisory bodies, assists with data subject rights and maintains an organisations’ RoPA to ensure ongoing compliance, saving organisations a significant amount of time and money.