Since GDPR (General Data Protection Regulations) was implemented in 2018, businesses in the UK and its EU partners have had to quickly adapt. And since the UK officially left the bloc on 1 January 2020, the UK government had to implement its own style of GDPR laws and regulations. Businesses around the UK and in Europe are still trying to adapt to the change in data protection laws, which is still proving difficult to comprehend and manage.
This implementation of UK GDPR specifically has had a profound effect on how organisations conduct business on the continent, and many are still confused as to when they’re supposed to deploy an EU representative.
In this article, we’ll discuss what GDPR is and its implications, who EU and UK representatives are and what they do, and when businesses need to appoint a UK/EU GDPR representative.
What is GDPR?
The reason businesses need EU representatives now is down to GDPR. GDPR refers to a set of data protection regulations that were brought into law by the EU back in 2018. GDPR was spurred by many factors talked a lot about at the time, including how big corporations were using the private data of citizens to better their ends. The foundational notion of GDPR was to recognise data as part of individual sovereignty, and put the rights of individuals and their data before businesses.
The GDPR regulations replaced the Data Protection Directive (DPD and the UK Data Protection Act of 1989. GDPR has shone a new light on data, reflecting how data is to be viewed as a human right and a fundamental part of each person. In essence, no different from any other personal possession. The main goal of GDPR is to protect personal data and the rights of the individuals whose data is being collected, processed and stored by the businesses that handle it. GDPR gives new legal rights and more transparency to individuals in the context of their data.
When do businesses need EU representatives?
Businesses must have a GDPR representative working for them whenever they collect, process or store individual’s data on a large scale within the EU if they don’t have a physical presence on the continent.
Article 27 within GDPR states that EU representation is required for all non-European companies that handle the personal information of EU data subjects but do not have a physical presence within any of the member states which make up the EU. Interestingly, businesses that are public authorities or process low-risk data only occasionally are exempt from needing an EU representative.
For UK businesses in particular, the UKs leave from the bloc has meant new implications for continuing to do business in the EU. Since many of them still wish to operate within the EU, they’ve now found themselves in quick need of an EU representative so that they can continue to conduct business.
If this is you, you’ll need to authorise a representative, in writing, to act on your behalf. This’ll be an individual or a group of individuals responsible for keeping your business GDPR compliant, and they’ll deal with supervisory authorities, or data subjects. You’ll be required to detail specifics of your EU representative to EEA-based (European Economic Area) individuals whose data you process in your operations.
Your EU representative must also be easily accessible by the supervisory authorities. You can begin this process by publishing their details on your website.
And while this may all seem daunting, the process of enacting and deploying an EU representative can begin as simply as including data subjects in your privacy notice, or be telling them upfront whenever you’re about to collect their data. For example, when collecting emails.
What is an EU representative and what do they do?
The important job of an EU representative is to act on the behalf of businesses who operate within the EU and handle large amounts of data belonging to EU data subjects.
The individual or party appointed by the business to act on their behalf must be able to represent the business in regards to their data protection obligations within the EEA. They show that the business is compliant, and they act as a direct link of contact between the business, their data subjects and regulatory authorities. In other words, they’re the voice of the business, protecting its interest and showing that they’re remaining compliant with GDPR law.
Here are the main tasks and duties of EU representatives:
- Acting as the first, direct point of contact for businesses and EU supervisory authorities.
- Sending and receiving legal documents and important information.
- Acting as an authorised agent that can respond to enquiries that supervisory authorities or data subjects have in regards to data processing.
- Creating data processing records that remain available to supervisory authorities.
- Being subject to enforcement proceedings if an organisation is non-compliant with GDPR regulations.
