On May 25th 2018, after almost seven years in the pipeline, the General Data Protection Regulations, or the GDPR as it is more commonly known, was put into place.
It supersedes the EU’s Data Protection Directive 1995 and all member state law based on it – including the UK’s DPA (Data Protection Act) 1998. The act gives individuals and organisations within the European Union more control over how their personal data is used, and places much more responsibility and legislation on organisations that process and hold personal data.
It covers all of the countries within the European Union. Of course, the United Kingdom is set to leave the EU on December 31st, 2020, and as of then, the GDPR will no longer apply. However, any organisation based outside of the EU that offers goods or services to EU residents must also adhere to the GDPR regulations.
Once the UK has completed the Brexit transition period, the EU GDPR will be enacted in law under the European Union (Withdrawal Agreement) Act 2020, and domestically will be known as the UK GDPR. At that point, an organisation may need an EU representative, and this is what we are going to look at in more detail in this useful guide
Does your organisation or business monitor or provide services and goods to people residing in the United Kingdom? If you do, then yes, you need an EU representative for GDPR purposes.
There are two exemptions to this rule:
1) If your business has an office and employees based in a European Union country
2) If your business only occasionally handles and processes data, it is not done on a large scale, and the data is not sensitive and unlikely to cause risk or harm to someone.
However, suppose you only deal with UK based residents, after the December 31st 2020 when the UK officially breaks away from the European Union. In that case, you are no longer legally required to have an EU representative. This entirely is mere because, after that date, your customers are not EU residents.
It is pretty self-explanatory, but an EU representative is a person in your organisation whose role is to work within the GDPR guidelines. They need to be based in the European Union and work on behalf of organisations based outside of the EU.
For UK organisations, the primary role is to act as the bridge between the Information Commissioner’s Office (ICO), the company and the people whose data is being held.
They do this by:
- Maintaining and updating records regarding the way the organisation or business handles data.
- Responds to queries from the Information Commissioner’s Office
- Responds to queries from the public regarding the information that the organisation or business holds on them
Theoretically, the difference between a GDPR representative and a Data Protection Officer (DPO) is very clear. Where a business has a physical presence within the EU and processes “large volumes” of data or “sensitive data” relating to EU data subjects, it is required, in accordance with Article 37 of the General Data Protection Regulation, to appoint a Data Protection Officer.
GDPR does not specify what constitutes “large volumes” of data. However, many national data protection agencies have produced guidelines or representations of what they consider to be “large volumes” based on the nature of the data and the length of time it will be obtained, processed or held. As a recommended best practice, all organisations should voluntarily designate a Data Protection Officer.
The most important thing to bear in mind about a GDPR representative’s role is that they are not responsible for the organisation’s compliance with GDPR. Compliance with the GDPR is always the task of the Data Protection Officer (DPO), or, if one has not been designated– the department in charge of controlling and/or processing the data.
Beyond this difference, there are many parallels between a DPO’s role and the role of GDPR representative.
As the situation currently stands, we do not yet know if the United Kingdom will be leaving the European Union on December 31st 2020 with a deal or not. Of course, this means many are unsure about the next steps and the laws that will need to be followed.
However, whether we have a Brexit deal or a no-deal Brexit, EU representatives MUST be in place if you hold data belonging to residents in the EU unless you exclude the points mentioned above. Hence, it is a good idea to make sure you have one in place ready.
As well as this. Regardless of whether the UK leaves the EU with a deal or not, entities not established in the United Kingdom but which sell products or services to individuals in the United Kingdom or (2) track their actions will be required to appoint a UK representative to comply with the United Kingdom data protection law. This was confirmed by the UK Data Protection Authority (i.e. the Office of the Information Commissioner) which claimed that:
“The UK government intends that after UK leaves the EU, the UK GDPR will require organisations located outside of the UK, but which still have to comply with the UK GDPR, to appoint a UK representative”.
Quite simply, if you do business within the European Union and you do not have an EU representative, you are in breach of the GDPR. This means that you are breaking the law – you are not complying with your legal obligations. It is not optional, and you can be fined – heavily. See our next point for more information about the fines that can be – and will be levied against your business.
The extent of responsibility displayed by the organisation regarding the technical and organisational measures it has put in place to meet GDPR legislation is taken into account when levying fines. Businesses that do not designate an EU representative not only face large fines for not doing so but may also incur other fines for non-compliance of different aspects of GDPR. For small to medium-sized businesses, this can be devastating.
As well as fines, the GDPR introduces civil liability for undertakings in which any person who has incurred material or non-material harm as a result of a violation of the GDPR has the right to claim compensation from the enterprise for the damage suffered. The GDPR also establishes a form of class action scheme where non-profit entities may take legal action against companies on behalf of groups of customers.
Given the vulnerability to civil liability for violations of GDPR, one of the most important things that businesses can do now is to insure themselves against these consequences. Although cyber liability insurance can be used to mitigate the business risk, it should be kept in mind that your responsibility to comply with your legal requirements is implied in your insurance contract. If you have chosen not to designate a representative of GDPR for your company, you are more than likely invalidating the very insurance you pay to protect you from that risk.
The GDPR imposes a maximum fine of EUR 20 million (about £18 million) or 4 per cent of the annual global revenue – whichever is higher – for violations.
Once the United Kingdom Brexit transition finishes at the end of 2020, the UK GDPR and Data Protection Act of 2018 will set a maximum fine of $17.5 million of 4% of the annual global revenue.
However, not all breaches of GDPR result in fines for data security. Supervisory authorities such as the UK Information Commissioner’s Office (ICO) may take a variety of other steps, including:
- Warnings and reprimands
- Temporary or permanent ban on the processing of data
- Ordering the correction, restriction or deletion of data
- Suspension of data transfers to neighbouring parties
In September 2020, €780,800 was handed out in fines across the world. This made for a cumulative total of €72,406,375 up to that point in 2020.
Your EU representative may be any individual based in the EU Member State from which you collect personal data.
If you collect information from data subjects in, for example, Germany, your EU representative has to be based in Germany. However, if you obtain personal data from the EU as a whole, you can nominate a representative in any EU Member State.
If you have several countries to choose from, it is best to select the one you collect the most data or perform the most comprehensive monitoring.
If you do not already have an EU representative in place, you need to get one in place before Brexit, on January 1st 2021. Your organisation would need to provide an appropriate transfer process, such as the Standard Contract Clauses (SCCs) in place for EU/EEA counterparts, to guarantee that you can keep personal information flowing legally from them.
The EU is undertaking a data adequacy assessment of the United Kingdom. Suppose the EU grants positive adequacy decisions by January 1st 2021. In that case, personal data will continue to move freely from the EU/EEA to the United Kingdom, as it does now, without any action by the organisations.
Any natural or legal individual residing in one of the EU Member States may be named a non-EU company representative.
The representative must have a business or personal residence within the EU. The representative’s residence must also be in one of the EU Member States, where the data subjects whose personal data the business processes are located.
As the representative functions as the primary contact person for everything relating to the processing of personal data by the organisation under the GDPR, they need to interact efficiently with the data subjects and comply effectively with the applicable data protection supervisory authorities.
Even if you think you do not need an EU representative at the moment, think about your future business goals. Are you hoping to or planning to expand into the EU markets? If this is something that you are hoping to do in the near future, it may be worth putting plans into place sooner rather than later, in case of hold-ups or problems.
It would also help if you considered the most cost-effective way of appointing either an EU or a UK GDPR representative. Of course, you can hire someone in-house, but you need to make sure they are up to speed with the latest news, developments and legislation around data protection. Alternatively, you can outsource the task to a professional third-party. This is a more expensive option, but it ensures that you have someone who knows exactly what they are doing. Again, make sure they are based in the jurisdiction that you collect data from.
Being able to speak the language of the country is a useful skill to look out for.
How JVR Consultancy Can Help
Here at JVR Consultancy, we offer a comprehensive EU representative service. Our EEA offices are based in Cyprus. We can also act as your external Data Protection Officer (DPO), giving you advice and support in the future. We can check that you are compliant in the latest legislation, and if there is a problem with your data security, we can work with you to find solutions.
GDPR and data protection are things that businesses need to take seriously, whatever the outcome with Brexit. Please don’t get caught out; do something about it contact us today
Frequently Asked Questions from our Customers
Yes we can, we can assist you with any of the accreditation featured on our website. We have a 100% record of securing any of the accreditation in the first audit for all our customers for the last 13 years.
More to the point, I ask clients how quickly can you start. We can have a consultant working on your accreditation within the hour if you are ready. The only things that take time are the audit dates, these are issued to the client by the certification body so it is out of our control.
This depends on how much the client has in place already. The more they have, the easier it becomes to work on their accreditation. The gap analysis that we carry out is free of charge and afterwards will give you an exact fixed price.
The fixed price will include the following –
- Carry out all the work ( creating documents & processes tailored to your company )
- Attend the audit ( as your expert consultant ) or make the desktop submission.
- Make any corrections that the auditor may highlight to ensure that you obtain your accreditation the first audit.
Initially, we need to talk to you to carry out the free gap analysis. Afterwards, we would require you to forward all the relevant documents. After that, we can complete the work with the minimum of your input, leaving you to concentrate on doing what you do best for the company.
Yes! Let us Manage your Accreditations with Ongoing Support and Maintenance. With us managing your accreditations, your team can then focus on business growth and development. This gives you peace of mind knowing your compliance is being routinely managed by professionals. Ongoing support and maintenance avoids panic in your business when suddenly faced with an audit, knowing at all times you are well prepared.
Achieve Accreditation and Compliance with JVR
JVR Consultancy was formed in the year 2008. We noticed that there was a gap in the market, for companies who work in the construction, rail, utilities, oil and gas sector who were not fully supported in the way that they could be when it came to industry compliance and certification. That is why our highly experienced team of compliance consultants can serve these sectors by providing over 135 years of combined experience with all compliance needs. In short, you won’t find anyone else who cares as much, or who tries as hard as we do.
Speak with one of our experienced consultants. At JVR, we know that time is precious, and you want the answers to your questions quickly. Once we speak with you for the first time over the phone, we need around 10 minutes to fully evaluate which accreditation you need support with and a brief introduction into you and your company.
Managing Director at JVR Consultancy, Steven Sandhu, is passionate and committed to supporting his clients within their chosen Compliance accreditation. With over 15 years of experience across multiple compliance industries, Steven prides himself on delivering 100% accreditation success for his clients, mixed with a passion for providing excellence by understanding the goals and the needs of his clients’ businesses. All this, combined with his strong breadth of skills and knowledge by routinely researching industry requirements changes and introducing new regulated requirements
Request your Gap Analysis Report
Our consultants have an extensive level of experience in developing solutions for our clients. We offer a free GAP analysis, which will help to assess the difference between your business performance and your business goals. It’s a fantastic way for you to find out if your business needs are met, and if they aren’t, it gives you the insight you need. Learning more about what is Gap Analysis and how will the report benefit you.
With a success rate of 100% and a team who will go above and beyond to make sure that your expectations are met, you know that you can trust in us to provide you with the knowledge, resources and expertise you need to make a difference. Contact us today to find out more.
To identify the objectives that are needed to achieve your desired certification, we offer a FREE, no-obligation Gap Analysis. Our analysis will assess your current systems and documentation. Just start the process by filling in the form below, and one of our specialists will contact you (typically within one working day) to make arrangements.
More reasons to choose JVR Consultancy for Compliance & Risk Management