Here at JVR Consultancy, we have a reputation as one of the United Kingdom’s most reputable and accomplished compliance advisory consultancies.
General Data Protection Regulations (GDPR), as it is more widely known, became effective on May 25, 2018, nearly seven years after it first became a part of the legislative process in Europe.
It replaces the European Union’s Data Protection Directive 1995, as well as all member state legislation based on it – including the United Kingdom’s Data Protection Act 1998. Individuals and organisations in the European Union will have greater control over how their personal data is used as a result of the Act, which also sets significantly more duty and legislation on organisations that collect and store personal data.
It applies to all of the countries that are members of the European Union. Of course, the United Kingdom has left the EU and the General Data Protection Regulation (GDPR) is no longer effective. Any organisation based outside of the EU that sells goods or provides services to people of the EU, however, is required to comply with the GDPR laws.
On completion of the Brexit transition period, the EU General Data Protection Regulation (GDPR) will be incorporated into law by the European Union (Withdrawal Agreement) Act 2020, and will be referred to as the UK GDPR domestically. It is at this time that an organisation may require the services of an EU representative, which is what we will discuss in further detail later in this helpful book.
Is it necessary for all organisations to have an EU representative?
Is your organisation or business responsible for monitoring or providing services and goods to persons resident in the United Kingdom? If so, please describe your role. If you do, then you do, in fact, require an EU representative for the purposes of the GDPR.
This rule is exempt from the following two conditions:
- If your company has an office and employees based in a European Union country, you are eligible to apply.
- If your company simply handles and processes data on an occasional basis, it is not done on a big scale, and the data is not sensitive and is unlikely to pose a risk or cause harm to anyone.
However, imagine you only do business with people who live in the United Kingdom after December 31st, 2020, when the United Kingdom officially withdraws from the European Union. As a result, you are no longer legally compelled to have an EU representative on your team. This is completely pointless because, after that date, your customers will no longer be considered EU residents.
What exactly does a European Union representative do?
Although it is self-explanatory, an EU representative is a member of your organisation whose responsibility it is to comply with the General Data Protection Regulation. Those working on behalf of organisations based outside of the European Union must have their headquarters in the European Union.
For organisations in the United Kingdom, the major job is to serve as a link between the Information Commissioner’s Office (ICO), the organisation, and the individuals whose data is being kept.
They accomplish this through the following methods:
- It is the responsibility of the organisation or business to keep accurate and up-to-date records detailing the way data is handled.
- Responds to requests for information from the Information Commissioner’s Office.
- Responds to inquiries from the general public about the information that the organisation or corporation maintains about them (also known as “information retrieval”).
What is the difference between an EU representative and a Data Protection Officer (DPO)?
There is a significant distinction between a GDPR representative and a Data Protection Officer (DPO) in terms of theoretical implications. According to Article 37 of the General Data Protection Regulation, if a company has a physical presence in the European Union and processes “large volumes” of data or “sensitive data” relating to EU data subjects, the company is required to appoint a Data Protection Officer to oversee data processing activities.
The General Data Protection Regulation (GDPR) does not define what constitutes “large volumes” of data. Many national data protection authorities, however, have developed guidelines or representations of what they consider to be “high volumes” of data, which are based on the type of the data and the amount of time it will be received, processed, or retained. Everyone in charge of data protection should be voluntarily designated as a Data Protection Officer, as a recommended best practise.
Most importantly, while considering the function of a GDPR representative, remember that they are not accountable for the organization’s compliance with the General Data Protection Regulation (GDPR). Compliance with the General Data Protection Regulation (GDPR) is always the responsibility of the Data Protection Officer (DPO), or if no DPO has been established, the department in charge of controlling and/or processing the data.
There are other parallels between the work of a DPO and the role of GDPR representative that go beyond this distinction.
When is it necessary to nominate an EU representative?
As things stand right now, we have no way of knowing whether the United Kingdom will be leaving the European Union on December 31st, 2020, with or without a withdrawal agreement. It goes without saying that this leaves many people in the dark regarding the next measures to take and the rules that will need to be obeyed.
However, regardless of whether we have a Brexit deal or a no-deal Brexit, EU representatives must be in place if you retain data pertaining to people of the EU, unless you are exempt from the requirements outlined above. Thus, it is advisable to ensure that you have one in place and ready to use.
In addition to this. Entities not established in the United Kingdom but which sell products or services to individuals in the United Kingdom or (2) track their actions will be required to appoint a UK representative in order to comply with the United Kingdom data protection law, regardless of whether the UK leaves the EU with a deal or not. This was validated by the United Kingdom Data Protection Authority (also known as the Office of the Information Commissioner), which stated that:
‘After the United Kingdom leaves the European Union, the UK GDPR will require organisations that are based outside of the United Kingdom but must adhere to its provisions to establish a representative in the United Kingdom,’ according to the government.
What are the risks and obligations involved with not having a representative from the European Union on your team?
Simply put, if you conduct business within the European Union and do not have an EU representative, you are in violation of the General Data Protection Regulation (GDPR). This indicates that you are in violation of the law — that you are not complying with your legal responsibilities. It is not optional, and failure to comply can result in a significant fine. Read on for additional information regarding the fines that can – and will – be assessed against your company, which we will cover in our next section.
Considering the extent of responsibility demonstrated by the organisation about the technological and organisational measures it has put in place to comply with GDPR regulations, when assessing fines, consideration is given to the extent of responsibility displayed by the organisation. Businesses who fail to appoint an EU representative not only risk incurring significant fines as a result of their failure to do so, but they also risk incurring additional fines for non-compliance with several sections of the GDPR. This can have a disastrous effect on small and medium-sized firms.
The GDPR, in addition to fines, establishes civil liability for businesses, under which any individual who suffers significant or non-material loss as a result of a violation of the GDPR has the right to seek compensation from the company responsible for the damage. As part of its class action provisions, the GDPR offers a mechanism for non-profit organisations to bring legal action against corporations on behalf of large groups of customers.
Given the potential for civil liability for violations of the General Data Protection Regulation, one of the most critical things that businesses can do right now is to insure themselves against these ramifications. However, while cyber liability insurance can be used to limit company risks, it is important to remember that your responsibility to comply with legal requirements is implicit in your insurance policy. As a result of your decision not to appoint a GDPR representative for your firm, you are more than likely invalidating the insurance you pay to protect you against that risk.
What penalties have been imposed on corporations in the United Kingdom for violating the General Data Protection Regulation (GDPR)?
In the event of a violation of the GDPR, a maximum fine of EUR 20 million (about £18 million) or 4 percent of annual global revenue – whichever is larger – is imposed.
Once the Brexit transition period in the United Kingdom concludes at the end of 2020, the GDPR and Data Protection Act of 2018 in the United Kingdom will establish a maximum penalties of $17.5 million, or 4 percent of annual global revenue, for any violation of the GDPR and Data Protection Act of 2018.
However, not all GDPR violations result in financial penalties for data security. Supervisory authorities, such as the Information Commissioner’s Office (ICO) in the United Kingdom, may take a number of additional actions, such as:
- Warnings and reprimands are issued.
- Data processing is prohibited either temporarily or permanently.
- Requesting the correction, restriction, or erasure of personal information
- Transfers of personal data to third parties in the vicinity have been suspended.
- In September 2020, a total of €780,800 in fines was levied throughout the world. This resulted in a total of €72,406,375 in cumulative revenue up to that date in 2020.
How to choose an EU representative for your organisation
It is possible for your EU representative to be any individual who is based in the EU Member State from which you collect personal information.
If you collect information from data subjects in a country such as Germany, for example, your EU representative must be based in that country too. But if you get personal data from the EU as a whole, you have the option of nominating representatives in any member state of the European Union.
If you have a choice between multiple countries, it is advisable to choose the one in which you collect the most data or conduct the most extensive monitoring and evaluation.
Appointing an EU representative prior to Brexit is a good idea.
In the event that you do not already have an EU representative in place, you must appoint one before Brexit takes effect on January 1st 2021. In order to ensure that personal information continues to flow legally from them, your organisation would need to implement an appropriate transfer method, such as the Standard Contract Clauses (SCCs) in place for EU/EEA counterparts.
The European Union is conducting a data sufficiency evaluation of the United Kingdom. Consider the following scenario: the EU grants good adequacy judgements by January 1, 2021. Unless the organisations take any action, personal data will continue to flow freely from the EU/EEA to the United Kingdom in the same manner as it does now, with no restrictions.
Who is eligible to serve as an EU Representative?
It is possible for any natural or legal person residing in one of the EU Member States to be appointed as a non-EU company representative.
The representative’s place of business or personal residence must be located within the European Union. It is also necessary for the representative’s residency to be in one of the EU Member States where the data subjects whose personal data is being processed by the business are situated.
In order to fulfil their role as the primary point of contact for everything relating to the organization’s processing of personal data under the GDPR, the representative must interact with data subjects in a timely manner and comply with the requirements of the applicable data protection supervisory authorities.
What factors should you take into account when hiring an EU and/or a UK representative?
Even if you believe you do not require the services of an EU representative at this time, consider your long-term company objectives. Are you seeking to or intending to develop your business into the European Union markets? You should make preparations as soon as possible if this is something you plan on doing in the near future, in case there are any delays or difficulties.
If you could also think about the best cost-effective approach to designate either an EU or a UK GDPR representative, that would be quite beneficial. While hiring someone in-house is an option, you must ensure that they are up to date on the newest news, advancements, and regulations pertaining to data privacy. Alternatively, you might contract with a competent third-party to complete the task for you. This is a more expensive alternative, but it ensures that you are working with someone who is very knowledgeable in their field. Once again, make certain that they are based in the jurisdiction from where you are collecting data. Understanding and speaking the local language is a valuable talent to have and should be sought after.
What JVR Consultancy Can Do to Assist You
The EU representative service that we provide here at JVR Consultancy is extremely extensive. Our European Economic Area offices are located in Cyprus. As an added service, we can serve as your external Data Protection Officer (DPO), providing you with guidance and support in the future. It is possible for us to ensure that you are in compliance with the most recent regulations, and in the event that there is an issue with your data security, we can work with you to discover solutions to the problem.
GDPR and data privacy are issues that businesses must take seriously – please don’t let yourself be taken advantage of; take action today by contacting the team
Frequently Asked Questions from our Customers
Yes we can, we can assist you with any of the accreditation featured on our website. We have a 100% record of securing any of the accreditation in the first audit for all our customers for the last 13 years.
More to the point, I ask clients how quickly can you start. We can have a consultant working on your accreditation within the hour if you are ready. The only things that take time are the audit dates, these are issued to the client by the certification body so it is out of our control.
This depends on how much the client has in place already. The more they have, the easier it becomes to work on their accreditation. The gap analysis that we carry out is free of charge and afterwards will give you an exact fixed price.
The fixed price will include the following –
- Carry out all the work ( creating documents & processes tailored to your company )
- Attend the audit ( as your expert consultant ) or make the desktop submission.
- Make any corrections that the auditor may highlight to ensure that you obtain your accreditation the first audit.
Initially, we need to talk to you to carry out the free gap analysis. Afterwards, we would require you to forward all the relevant documents. After that, we can complete the work with the minimum of your input, leaving you to concentrate on doing what you do best for the company.
Yes! Let us Manage your Accreditations with Ongoing Support and Maintenance. With us managing your accreditations, your team can then focus on business growth and development. This gives you peace of mind knowing your compliance is being routinely managed by professionals. Ongoing support and maintenance avoids panic in your business when suddenly faced with an audit, knowing at all times you are well prepared.
Achieve Accreditation and Compliance with JVR
JVR Consultancy was formed in the year 2008 and their head office is based in Windsor and Maidenhead. We noticed that there was a gap in the market, for companies who work in the construction, rail, utilities, oil and gas sector who were not fully supported in the way that they could be when it came to industry compliance and certification. That is why our highly experienced team of compliance consultants can serve these sectors by providing over 135 years of combined experience with all compliance needs. In short, you won’t find anyone else who cares as much, or who tries as hard as we do.
Speak with one of our experienced consultants. At JVR, we know that time is precious, and you want the answers to your questions quickly, especially during an audit!. Once we speak with you for the first time over the phone, we need around 10 minutes to fully evaluate which accreditation you need support with and a brief introduction into you and your company.
Our consultants have an extensive level of experience in developing solutions and offering guidance for our clients and their businesses. We offer a free GAP analysis, which will help to assess the difference between your business performance and your goals. It’s a fantastic way for you to find out if your business needs are met, and if they aren’t, it gives you the insight and confidence you need to deliver improvement before an audit. Learning more about what is Gap Analysis and how will the report benefit you.
With a success rate of 100% and a team who will go above and beyond to make sure that your expectations are met, you know that you can trust in us to provide you with the knowledge, resources and expertise you need to make a difference. Contact us today to find out more.
To identify the objectives and benefits that are needed to achieve your desired level of compliance, we offer a FREE, no-obligation Gap Analysis. Our analysis will assess your current systems and documentation. Just start your journey by filling in the form below, and one of our specialists will contact you (typically within one working day) to make arrangements.
Nationwide Presence
26 national support locations throughout the UK. See Office Locations.
Fixed Fee Payments
There are no hidden charges, and what you see is what you pay.
Free Gap Analysis
Assess the difference between your business performance & your goals.
Audit Support
Supporting businesses with upcoming compliance audits. FAST TRACK priority support also available.
Ongoing Support
JVR offer Ongoing Support & Maintenance for peace of mind.
Customer Service
Our customer reviews are a testament to our work & the results we achieve.
Experience
Vast experience in developing compliant integrated management systems
Thorough Process
We write procedures, policies & associated documentation.
Bespoke
Our services are tailored to meet individual company requirements.
Audit Support
Get FAST TRACK Audit Support with JVR Consultancy Today. Click here to find out more.
Free Remote Gap Analysis
Book a Free Remote Gap Analysis during Covid-19 for your business. To learn more, why not read our What is Gap Analysis blog article and understand how a Gap report would benefit your company.
Related Articles
More reasons to choose JVR Consultancy for Compliance & Risk Management