If you're a business owner on the quest to find out exactly what you need to become GDPR compliant, you've likely stumbled across services offering a GDPR or EU Representative. This requirement isn't anything new but one which is often overlooked. Under Article 27 of the GDPR, organisations outside the EU or the EEA who process data on EU citizens must appoint an EU representative to meet compliance.
While the need for a representative may have been previously overlooked, in July of this year, the Dutch Data Protection Authority (DDPA) issued the website Locatefamily.com, a company established outside the EU, a fine of £525,000 for failure to appoint a GDPR representative.
But what exactly do these 'EU Representative' services entail, and which businesses need a representative to achieve compliance? In this month's blog, we'll take you through exactly what you need to know.
Organisations based outside of the EU or EEA, who process the data of EU citizens are required to appoint an EU representative to maintain compliance under Article 27 of the GDPR. Data processing includes providing products or services to EU citizens and monitoring their online behaviour, for example, for marketing or advertising purposes.
Similarly, as of the 1st of January 2021, businesses outside the UK that process data on UK citizens are also required to appoint a UK representative to meet UK-GDPR requirements.
There are, however, a couple of exceptions to this rule:
- The processing of data is occasional.
- The processing activity does not include any 'special category' data. Special Category data includes, but is not limited to any data which could reveal an individual's race, ethnicity, genetic data, or data concerning their health.
In addition to being established within the EU, Representatives will be the point of contact between the non-EU organisation, the ICO and the individuals whose data is processed. These are also known as the 'data subjects'. An EU Representative should also answer any data processing queries raised by data subjects within the EU and the ICO.
They are also responsible for maintaining records of any data processing activities carried out by the non-EU organisation and making them accessible to the relevant data protection organisation. Keeping a Record of Processing Activities (RoPA) is also a requirement under the EU & UK GDPR. Read more on this here.
Aside from these responsibilities, a good EU Representative should also know how to handle any sensitive data securely, limiting any potential data breaches and how to recognise once a data breach has occurred. If an appointed representative is found to have been operating outside of the security requirements set out by the GDPR, the organisation which made the appointment is still liable.
Data Compliance is patchy without cyber security. That's why Naq takes care of both. Get an EU Representative, full GDPR compliance and enterprise-level cyber security in one simple monthly subscription. Take a look at our pricing here.
If your business or organisation requires the appointment of an EU Representative, there's a couple of things to bear in mind:
Whoever you appoint as your EU representative must have a good understanding of both the GDPR and local data protection laws to answer queries from both data subjects and the ICO effectively.
Appointing an EU Representative does not absolve an organisation from the other requirements outlined in the GDPR or UK-GDPR. A good EU representative should guide an organisation in ensuring the rest of their data processing efforts are compliant.
Last but not least, you must make sure your EU representative is handling the subject's data securely. Both the EU & UK GDPR require data handlers to be proactive in minimising the risk of a potential security breach. If your EU Representative doesn't meet this requirement resulting in an eventual data breach, your organisation will still be liable to potential fines and rectifying the situation.
Well, we're glad you asked! From the 1st of January 2021, the UK also requires non-UK based organisations to appoint a UK Representative to meet compliance under the UK-GDPR.
The requirements for appointing a UK Representative are the same as those outlined for appointing an EU Representative. The same considerations should apply; a good understanding of the UK-GDPR, the ability to guide your organisation through what it requires to meet compliance and secure data handling practices.
Naq takes care of all this and more. Get an EU or UK Representative, full business data compliance, cyber security and staff training in one affordable, monthly subscription. Take a look at our pricing plans or contact us today.