On May 25th 2018, after almost seven years in the pipeline, the General Data Protection Regulations, or the GDPR as it is more commonly known, was put into place.
It supersedes the EU’s Data Protection Directive 1995 and all member state law based on it – including the UK’s DPA (Data Protection Act) 1998. The act gives individuals and organisations within the European Union more control over how their personal data is used, and places much more responsibility and legislation on organisations that process and hold personal data.
It covers all of the countries within the European Union. Of course, the United Kingdom is set to leave the EU on December 31st, 2020, and as of then, the GDPR will no longer apply. However, any organisation based outside of the EU that offers goods or services to EU residents must also adhere to the GDPR regulations.
Once the UK has completed the Brexit transition period, the EU GDPR will be enacted in law under the European Union (Withdrawal Agreement) Act 2020, and domestically will be known as the UK GDPR. At that point, an organisation may need an EU representative, and this is what we are going to look at in more detail in this useful guide
Does your organisation or business monitor or provide services and goods to people residing in the United Kingdom? If you do, then yes, you need an EU representative for GDPR purposes.
There are two exemptions to this rule:
1) If your business has an office and employees based in a European Union country
2) If your business only occasionally handles and processes data, it is not done on a large scale, and the data is not sensitive and unlikely to cause risk or harm to someone.
However, suppose you only deal with UK based residents, after the December 31st 2020 when the UK officially breaks away from the European Union. In that case, you are no longer legally required to have an EU representative. This entirely is mere because, after that date, your customers are not EU residents.
It is pretty self-explanatory, but an EU representative is a person in your organisation whose role is to work within the GDPR guidelines. They need to be based in the European Union and work on behalf of organisations based outside of the EU.
For UK organisations, the primary role is to act as the bridge between the Information Commissioner’s Office (ICO), the company and the people whose data is being held.
They do this by:
- Maintaining and updating records regarding the way the organisation or business handles data.
- Responds to queries from the Information Commissioner’s Office
- Responds to queries from the public regarding the information that the organisation or business holds on them
Theoretically, the difference between a GDPR representative and a Data Protection Officer (DPO) is very clear. Where a business has a physical presence within the EU and processes “large volumes” of data or “sensitive data” relating to EU data subjects, it is required, in accordance with Article 37 of the General Data Protection Regulation, to appoint a Data Protection Officer.
GDPR does not specify what constitutes “large volumes” of data. However, many national data protection agencies have produced guidelines or representations of what they consider to be “large volumes” based on the nature of the data and the length of time it will be obtained, processed or held. As a recommended best practice, all organisations should voluntarily designate a Data Protection Officer.
The most important thing to bear in mind about a GDPR representative’s role is that they are not responsible for the organisation’s compliance with GDPR. Compliance with the GDPR is always the task of the Data Protection Officer (DPO), or, if one has not been designated– the department in charge of controlling and/or processing the data.
Beyond this difference, there are many parallels between a DPO’s role and the role of GDPR representative.
As the situation currently stands, we do not yet know if the United Kingdom will be leaving the European Union on December 31st 2020 with a deal or not. Of course, this means many are unsure about the next steps and the laws that will need to be followed.
However, whether we have a Brexit deal or a no-deal Brexit, EU representatives MUST be in place if you hold data belonging to residents in the EU unless you exclude the points mentioned above. Hence, it is a good idea to make sure you have one in place ready.
As well as this. Regardless of whether the UK leaves the EU with a deal or not, entities not established in the United Kingdom but which sell products or services to individuals in the United Kingdom or (2) track their actions will be required to appoint a UK representative to comply with the United Kingdom data protection law. This was confirmed by the UK Data Protection Authority (i.e. the Office of the Information Commissioner) which claimed that:
“The UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.
Quite simply, if you do business within the European Union and you do not have an EU representative, you are in breach of the GDPR. This means that you are breaking the law – you are not complying with your legal obligations. It is not optional, and you can be fined – heavily. See our next point for more information about the fines that can be – and will be levied against your business.
The extent of responsibility displayed by the organisation regarding the technical and organisational measures it has put in place to meet GDPR legislation is taken into account when levying fines. Businesses that do not designate an EU representative not only face large fines for not doing so but may also incur other fines for non-compliance of different aspects of GDPR. For small to medium-sized businesses, this can be devastating.
As well as fines, the GDPR introduces civil liability for undertakings in which any person who has incurred material or non-material harm as a result of a violation of the GDPR has the right to claim compensation from the enterprise for the damage suffered. The GDPR also establishes a form of class action scheme where non-profit entities may take legal action against companies on behalf of groups of customers.
Given the vulnerability to civil liability for violations of GDPR, one of the most important things that businesses can do now is to insure themselves against these consequences. Although cyber liability insurance can be used to mitigate the business risk, it should be kept in mind that your responsibility to comply with your legal requirements is implied in your insurance contract. If you have chosen not to designate a representative of GDPR for your company, you are more than likely invalidating the very insurance you pay to protect you from that risk.
The GDPR imposes a maximum fine of EUR 20 million (about £18 million) or 4 per cent of the annual global revenue – whichever is higher – for violations.
Once the United Kingdom Brexit transition finishes at the end of 2020, the UK GDPR and Data Protection Act of 2018 will set a maximum fine of $17.5 million of 4% of the annual global revenue.
However, not all breaches of GDPR result in fines for data security. Supervisory authorities such as the UK Information Commissioner’s Office (ICO) may take a variety of other steps, including:
- Warnings and reprimands
- Temporary or permanent ban on the processing of data
- Ordering the correction, restriction or deletion of data
- Suspension of data transfers to neighbouring parties
In September 2020, €780,800 was handed out in fines across the world. This made for a cumulative total of €72,406,375 up to that point in 2020.
Your EU representative may be any individual based in the EU Member State from which you collect personal data.
If you collect information from data subjects in, for example, Germany, your EU representative has to be based in Germany. However, if you obtain personal data from the EU as a whole, you can nominate a representative in any EU Member State.
If you have several countries to choose from, it is best to select the one you collect the most data or perform the most comprehensive monitoring.
If you do not already have an EU representative in place, you need to get one in place before Brexit, on January 1st 2021. Your organisation would need to provide an appropriate transfer process, such as the Standard Contract Clauses (SCCs) in place for EU/EEA counterparts, to guarantee that you can keep personal information flowing legally from them.
The EU is undertaking a data adequacy assessment of the United Kingdom. Suppose the EU grants positive adequacy decisions by January 1st 2021. In that case, personal data will continue to move freely from the EU/EEA to the United Kingdom, as it does now, without any action by the organisations.
Any natural or legal individual residing in one of the EU Member States may be named a non-EU company representative.
The representative must have a business or personal residence within the EU. The representative’s residence must also be in one of the EU Member States, where the data subjects whose personal data the business processes are located.
As the representative functions as the primary contact person for everything relating to the processing of personal data by the organisation under the GDPR, they need to interact efficiently with the data subjects and comply effectively with the applicable data protection supervisory authorities.
Even if you think you do not need an EU representative at the moment, think about your future business goals. Are you hoping to or planning to expand into the EU markets? If this is something that you are hoping to do in the near future, it may be worth putting plans into place sooner rather than later, in case of hold-ups or problems.
It would also help if you considered the most cost-effective way of appointing either an EU or a UK GDPR representative. Of course, you can hire someone in-house, but you need to make sure they are up to speed with the latest news, developments and legislation around data protection. Alternatively, you can outsource the task to a professional third-party. This is a more expensive option, but it ensures that you have someone who knows exactly what they are doing. Again, make sure they are based in the jurisdiction that you collect data from.
Being able to speak the language of the country is a useful skill to look out for.
How JVR Consultancy Can Help
Here at JVR Consultancy, we offer a comprehensive EU representative service. Our EEA offices are based in Cyprus. We can also act as your external Data Protection Officer (DPO), giving you advice and support in the future. We can check that you are compliant in the latest legislation, and if there is a problem with your data security, we can work with you to find solutions.
GDPR and data protection are things that businesses need to take seriously, whatever the outcome with Brexit. Please don’t get caught out; do something about it contact us today
More reasons to choose JVR Consultancy for Compliance & Risk Management