Introduction
Many things have happened over the last fifteen months: Brexit, COVID-19, employees working from home, the leave of employees, etc., impacting organisations. However, the impact of Brexit on the UK DPA 2018 and EU GDPR article 27 and the appointing a UK-EU GDPR representative has flown under the radar, leaving many organizations non-compliant with one or both legislations. UK and EU organisations are impacted because the UK is no longer a member of the European Union.
Appointing EU GDPR Representative
Under the EU GDPR, data controllers and processors outside the European Union offering goods or services to, or monitoring the behaviour of, data subjects in the European Union are mandated to appoint an EU representative. The EU representative is a local point of contact for the organisation they represent, who communicates with individuals ( data subjects) and data Data Protection Authorities in each member state on behalf of the organisation concerning data protection matters.
Appointing a UK DPA 2018 Representative ( UK GDPR)
Under the UK DPA 2018 known as the (UK GDPR) non-UK controllers and processors located outside of the United Kingdom offering goods or services to, or monitoring the behaviour of data subjects in the United Kingdom are mandated to appoint a UK Representative The UK representative is a local point of contact for the organisation they represent, who communicates with individuals ( data subjects) and the UK commissioner in ( ICO) on behalf of the organisation concerning data protection matters.
Do I have to appoint both EU and UK Representatives?
International companies outside of the EU and UK that offer goods or services to, or monitor the behaviour of data subjects in both the UK and EU are mandated to appoint both an EU representative and a UK representative.
Can I appoint a Representative to provide EU and UK GDPR Representative services?
Yes, if the Representative has a presence in both the EU and the UK, they can provide both Services and would have the advantage of your organisation’s operations across the EU and the UK. Appointing one representative body can save budget through available discounts.
What are the duties of an EU Representative?
The EU Representative will perform the following
- Act as a local point of contact for data subjects and supervisory authorities on all matters about the processing of personal data;
- Retain and maintain an accurate record of your processing activities (ROPA) as mandated in Article 30 of the EU GDPR and, when requested, make the ROPA available to relevant supervisory authorities;
- Precipitate communications between your organisation and data subjects;
- Precipitate communications between your organisation and the EU supervisory authorities; and
- Work with supervisory authorities on your behalf where required.
What are the duties of a UK Representative?
The UK Representative will perform the following
- Act as the local point of contact for individuals (data subjects) and the Commissioner (ICO) on all matters about the processing of personal data;
- Retain and maintain an accurate record of your processing activities (ROPA) as mandated in Article 30 of the DPA 2018 ( UK GDPR) and, when requested, make the ROPA available to the commissioner (ICO) ;
- Precipitate communications between your organisation and data subjects;
- Precipitate communications between your organisation and the commissioner (ICO); and
- Work with the commissioner (ICO) on your behalf where required
What must you consider when appointing an EU and a UK representative?
- Assess where you need a representative (the UK / EU) or both considering your current and future business operations
- Consider whether your business foresees an expansion leading to a new market. Will you need a representative in the UK and the EU or other global regions such as Asia as a result of this?
- Find the best business option to minimise the cost of appointing representative(s) (e.g., a representative in the jurisdiction required).
- While a UK representative is relatively straightforward regarding the representative’s location, non-EU organisations will need to assess carefully when choosing where to appoint their EU representative.
- If an organisation processes data from individuals in multiple EU countries, the representative must remain easily accessible to the individuals in all those countries and must be able to communicate in the language used by the individuals and supervisory authorities of each of those countries.
- Look for representatives that allow unlimited interactions and support by phone and email.
- Constantly review your record of processing activities, update it, and send it to your representative ASAP.